Security vulnerability (CVE) list
The following table lists the CVEs that affect Open Liberty, ordered by the release in which they were fixed.
CVE | CVSS Score | Vulnerability Assessment | Versions Affected | Version Fixed | Notes |
---|---|---|---|---|---|
5.7 |
Denial of service |
21.0.0.2 - 22.0.0.12 |
22.0.0.13 |
Affects the grpc-1.0 and grpcClient-1.0 features |
|
5.7 |
Denial of service |
21.0.0.2 - 22.0.0.12 |
22.0.0.13 |
Affects the grpc-1.0 and grpcClient-1.0 features |
|
7.5 |
Denial of service |
17.0.0.3 - 22.0.0.11 |
22.0.0.12 |
Affects the mpGraphQL-1.0 and mpGraphQL-2.0 features |
|
7.5 |
Denial of service |
17.0.0.3 - 22.0.0.10 |
22.0.0.11 |
Affects the openid-2.0 feature |
|
5.4 |
HTTP header injection |
17.0.0.3 - 22.0.0.9 |
22.0.0.10 |
||
5 |
Identity spoofing |
17.0.0.3 - 22.0.0.7 |
22.0.0.8 |
Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 and appSecurity-4.0 features |
|
7.1 |
Identity spoofing |
17.0.0.3 - 22.0.0.5 |
22.0.0.6 |
Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 and appSecurity-4.0 features |
|
3.1 |
Information disclosure |
17.0.0.3 - 22.0.0.5 |
22.0.0.6 |
Affects the adminCenter-1.0 feature |
|
4.4 |
Clickjacking vulnerability |
17.0.0.3 - 22.0.0.2 |
22.0.0.3 |
Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1 and mpOpenAPI-2.0 features |
|
9.8 |
Remote code execution |
17.0.0.3 - 22.0.0.2 |
22.0.0.3 |
Affects the admin-Center-1.0 feature |
|
4.3 |
Clickjacking |
21.0.0.12 - 22.0.0.1 |
22.0.0.2 |
Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0 and mpOpenAPI-3.0 features |
|
5.4 |
Spoofing attack |
21.0.0.12 - 22.0.0.1 |
22.0.0.2 |
Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0 and mpOpenAPI-3.0 features |
|
7.5 |
LDAP injection |
17.0.0.3 - 22.0.0.1 |
22.0.0.2 |
Affects the ldapRegistry-3.0 feature |
|
4.8 |
Information disclosure |
21.0.0.10 - 21.0.0.12 |
22.0.0.1 |
Affects the jaxws-2.2 feature |
|
7.5 |
Denial of service |
17.0.0.3 - 21.0.0.9 |
21.0.0.10 |
||
5.5 |
Denial of service |
17.0.0.3 - 21.0.0.9 |
21.0.0.10 |
||
3.7 |
Information disclosure |
17.0.0.3 - 21.0.0.9 |
21.0.0.10 |
Affects the federatedRegistry-1.0 feature |
|
8.8 |
Cross-site request forgery |
17.0.0.3 - 21.0.0.3 |
21.0.0.4 |
||
5.3 |
Bypass security |
17.0.0.3 - 20.0.0.10 |
20.0.0.11 |
Affects the beanValidation-2.0 feature |
|
5.3 |
Denial of service |
19.0.0.5 - 20.0.0.9 |
20.0.0.10 |
Affects the oauth-2.0 and openidConnectServer-1.0 features |
|
5 |
Identity spoofing |
19.0.0.5 - 20.0.0.4 |
20.0.0.5 |
Affects the openidConnectServer-1.0 feature |
|
4.3 |
Information disclosure |
17.0.0.3 - 20.0.0.4 |
20.0.0.5 |
Affects the servlet-3.1, servlet-4.0, appSecurity-2.0, and appSecurity-3.0 features |
|
6.1 |
Cross-site scripting |
17.0.0.3 - 20.0.0.3 |
20.0.0.4 |
Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features |
|
6.1 |
Cross-site scripting |
17.0.0.3 - 20.0.0.3 |
20.0.0.4 |
Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features |
|
6.1 |
Cross-site scripting |
17.0.0.3 - 20.0.0.2 |
20.0.0.3 |
Affects the jaxws-2.2 feature |
|
5.3 |
Denial of service |
17.0.0.3 - 20.0.0.1 |
20.0.0.2 |
||
7.5 |
Denial of service |
17.0.0.3 - 20.0.0.1 |
20.0.0.2 |
||
5.3 |
Information disclosure |
17.0.0.3 - 19.0.0.12 |
20.0.0.1 |
Affects the mpOpenAPI-1.0, mpOpenAPI-1.1, and openapi-3.1 features |
|
5.3 |
Information disclosure |
17.0.0.3 - 19.0.0.10 |
19.0.0.11 |
||
6.8 |
Spoofing |
17.0.0.3 - 19.0.0.10 |
19.0.0.11 |
Affects the wsSecurity-1.1 and samlWeb-2.0 features |
|
7.5 |
Denial of service |
17.0.0.3 - 19.0.0.9 |
19.0.0.10 |
Affects the servlet-3.1 and servlet-4.0 features |
|
7.5 |
Denial of service |
17.0.0.3 - 19.0.0.9 |
19.0.0.10 |
Affects the servlet-3.1 and servlet-4.0 features |
|
7.5 |
Denial of service |
17.0.0.3 - 19.0.0.9 |
19.0.0.10 |
Affects the servlet-3.1 and servlet-4.0 features |
|
7.5 |
Denial of service |
17.0.0.3 - 19.0.0.9 |
19.0.0.10 |
Affects the servlet-3.1 and servlet-4.0 features |
|
7.5 |
Denial of service |
17.0.0.3 - 19.0.0.9 |
19.0.0.10 |
Affects the servlet-3.1 and servlet-4.0 features |
|
7.5 |
Denial of service |
17.0.0.3 - 19.0.0.9 |
19.0.0.10 |
Affects the servlet-3.1 and servlet-4.0 features |
|
6.3 |
Bypass security |
17.0.0.3 - 19.0.0.9 |
19.0.0.10 |
Affects the appSecurity-1.0 and appSecurity-2.0 features |
|
5.3 |
Information disclosure |
17.0.0.3 - 19.0.0.9 |
19.0.0.10 |
Affects the appSecurity-1.0 and appSecurity-2.0 features |
|
6.5 |
Man-in-the-Middle |
17.0.0.3 - 19.0.0.7 |
19.0.0.8 |
Affects the wsSecurity-1.1 and samlWeb-2.0 features |
|
5.9 |
Denial of service |
17.0.0.3 - 19.0.0.3 |
19.0.0.4 |
Affects the servlet-3.1 and servlet-4.0 features |
|
3.1 |
Spoofing |
17.0.0.3 - 19.0.0.2 |
19.0.0.3 |
Affects the servlet-3.1 and servlet-4.0 features |
|
5.0 |
Privilege escalation |
17.0.0.3 - 18.0.0.3 |
18.0.0.4 |
Affects the ldapRegistry-3.0 feature |
|
5.0 |
Bypass security |
17.0.0.3 - 18.0.0.3 |
18.0.0.4 |
||
7.5 |
Man-in-the-Middle |
17.0.0.3 - 18.0.0.2 |
18.0.0.3 |
||
5.9 |
Information disclosure |
17.0.0.3 - 18.0.0.2 |
18.0.0.3 |
Affects the jaspic-1.1 feature |
|
5.9 |
Information disclosure |
17.0.0.3 - 18.0.0.2 |
18.0.0.3 |
Affects the ejbRemote-3.2 feature |
|
5.3 |
Denial of service |
17.0.0.3 - 17.0.0.4 |
18.0.0.1 |
||
5.3 |
Spoofing |
17.0.0.3 - 17.0.0.4 |
18.0.0.1 |
Affects any feature that enables security, for example, the appSecurity-2.0, appSecurity-3.0, and restConnector-2.0 features |
|
9.8 |
Execute code |
17.0.0.3 - 17.0.0.4 |
18.0.0.1 |
Affects the servlet-3.1 and servlet-4.0 features |