Security vulnerability (CVE) list

The Common Vulnerabilities and Exposures (CVE) system is a reference of publicly known network vulnerabilities that is maintained by the US National Institute of Standards and Technology (NIST). The CVE list catalogs known cybersecurity vulnerabilities.

The following table lists the CVEs that affect Open Liberty, ordered by the release in which they were fixed. The table also includes the Liberty features that are affected by each CVE. You can determine whether your Liberty configuration might be affected by a CVE by reviewing the features that are installed and running on your server. Occasionally, Liberty features that are not specified in the server.xml file are enabled automatically by other features. To confirm whether a particular feature is enabled in a Liberty server, inspect the CWWKF0012I message in the console.log, messages.log, or trace.log files from the Liberty server. This message provides a comprehensive list of all the features that are installed and running on the Liberty server.

CWWKF0012I: The server installed the following features: [appSecurity-2.0, distributedMap-1.0, jndi-1.0, samlWeb-2.0, ssl-1.0].

The CWWKF0012I message uses the word "installed", but it lists features that are both installed and running on the Liberty server.

CVECVSS score by X-Force®Vulnerability assessmentVersions affectedVersion fixedNotes

CVE-2023-50314

5.3

Information disclosure

17.0.0.3 - 24.0.0.8

24.0.0.9

CVE-2024-22354

7.0

XML External Entity (XXE) injection

17.0.0.3 - 24.0.0.5

24.0.0.6

CVE-2024-27268

5.9

Denial of service

18.0.0.2 - 24.0.0.4

24.0.0.5

Affects the servlet-3.1, servlet-4.0, servlet-5.0 and servlet-6.0 features

CVE-2024-22353

5.9

Denial of service

17.0.0.3 - 24.0.0.4

24.0.0.5

Affects the openidConnectClient-1.0, and socialLogin-1.0 features

CVE-2024-25026

5.9

Denial of service

17.0.0.3 - 24.0.0.4

24.0.0.5

Affects the servlet-3.1, servlet-4.0, servlet-5.0 and servlet-6.0 features

CVE-2023-51775

7.5

Denial of service

21.0.0.3 - 24.0.0.3

24.0.0.4

Affects the openidConnectClient-1.0, socialLogin-1.0, mpJwt-1.2, mpJwt-2.0, mpJwt-2.1, jwt-1.0 features

CVE-2024-27270

4.7

Cross-site scripting

23.0.0.3 - 24.0.0.3

24.0.0.4

Affects the servlet-6.0 feature

CVE-2023-50312

5.3

Weaker security

17.0.0.3 - 24.0.0.2

24.0.0.3

CVE-2023-44487

7.5

Denial of service

18.0.0.2 - 23.0.0.11

23.0.0.12

Affects the servlet-3.1, servlet-4.0, servlet-5.0 and servlet-6.0 features

CVE-2023-44483

6.5

Information disclosure

17.0.0.3 - 23.0.0.11

23.0.0.12

Affects the wsSecurity-1.1, wsSecuritySaml-1.1 and samlWeb-2.0 features

CVE-2023-46158

4.9

Weaker security

23.0.0.9 - 23.0.0.10

23.0.0.11

Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 and appSecurity-5.0 features

CVE-2023-38737

5.9

Denial of service

22.0.0.13 - 23.0.0.7

23.0.0.8

Affects the restfulWS-3.0 and restfulWS-3.1 features

CVE-2023-28867

7.5

Denial of service

17.0.0.3 - 23.0.0.5

23.0.0.6

Affects the mpGraphQL-1.0 and mpGraphQL-2.0 features

CVE-2023-24998

7.5

Denial of service

17.0.0.3 - 23.0.0.3

23.0.0.4

Affects the servlet-3.1, servlet-4.0, servlet-5.0 and servlet-6.0 features

CVE-2023-0482

5.3

Privilege escalation

21.0.0.12 - 23.0.0.3

23.0.0.4

Affects the restfulWS-3.0 and restfulWS-3.1 features

CVE-2022-45787

5.5

Information disclosure

21.0.0.12 - 23.0.0.1

23.0.0.2

Affects the restfulWS-3.0 feature

CVE-2022-46364

9.8

Server-side request forgery

17.0.0.3 - 23.0.0.1

23.0.0.2

Affects the jaxws-2.2 feature

CVE-2022-3509

5.7

Denial of service

21.0.0.2 - 22.0.0.12

22.0.0.13

Affects the grpc-1.0 and grpcClient-1.0 features

CVE-2022-3171

5.7

Denial of service

21.0.0.2 - 22.0.0.12

22.0.0.13

Affects the grpc-1.0 and grpcClient-1.0 features

CVE-2022-37734

7.5

Denial of service

17.0.0.3 - 22.0.0.11

22.0.0.12

Affects the mpGraphQL-1.0 and mpGraphQL-2.0 features

CVE-2022-24839

7.5

Denial of service

17.0.0.3 - 22.0.0.10

22.0.0.11

Affects the openid-2.0 feature

CVE-2022-34165

5.4

HTTP header injection

17.0.0.3 - 22.0.0.9

22.0.0.10

CVE-2022-22476

5

Identity spoofing

17.0.0.3 - 22.0.0.7

22.0.0.8

Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 and appSecurity-4.0 features

CVE-2022-22475

7.1

Identity spoofing

17.0.0.3 - 22.0.0.5

22.0.0.6

Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 and appSecurity-4.0 features

CVE-2022-22393

3.1

Information disclosure

17.0.0.3 - 22.0.0.5

22.0.0.6

Affects the adminCenter-1.0 feature

CVE-2021-39038

4.4

Clickjacking vulnerability

17.0.0.3 - 22.0.0.2

22.0.0.3

Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1 and mpOpenAPI-2.0 features

CVE-2021-23450

9.8

Remote code execution

17.0.0.3 - 22.0.0.2

22.0.0.3

Affects the admin-Center-1.0 feature

CVE-2021-46708

4.3

Clickjacking

21.0.0.12 - 22.0.0.1

22.0.0.2

Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0 and mpOpenAPI-3.0 features

CVE-2018-25031

5.4

Spoofing attack

21.0.0.12 - 22.0.0.1

22.0.0.2

Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0 and mpOpenAPI-3.0 features

CVE-2021-39031

7.5

LDAP injection

17.0.0.3 - 22.0.0.1

22.0.0.2

Affects the ldapRegistry-3.0 feature

CVE-2022-22310

4.8

Information disclosure

21.0.0.10 - 21.0.0.12

22.0.0.1

Affects the jaxws-2.2 feature

CVE-2021-36090

7.5

Denial of service

17.0.0.3 - 21.0.0.9

21.0.0.10

CVE-2021-35517

5.5

Denial of service

17.0.0.3 - 21.0.0.9

21.0.0.10

CVE-2021-29842

3.7

Information disclosure

17.0.0.3 - 21.0.0.9

21.0.0.10

Affects the federatedRegistry-1.0 feature

CVE-2021-26296

8.8

Cross-site request forgery

17.0.0.3 - 21.0.0.3

21.0.0.4

Affects the jsf-2.2 and jsf-2.3 features

CVE-2020-10693

5.3

Bypass security

17.0.0.3 - 20.0.0.10

20.0.0.11

Affects the beanValidation-2.0 feature

CVE-2020-4590

5.3

Denial of service

19.0.0.5 - 20.0.0.9

20.0.0.10

Affects the oauth-2.0 and openidConnectServer-1.0 features

CVE-2020-4421

5

Identity spoofing

19.0.0.5 - 20.0.0.4

20.0.0.5

Affects the openidConnectServer-1.0 feature

CVE-2020-4329

4.3

Information disclosure

17.0.0.3 - 20.0.0.4

20.0.0.5

Affects the servlet-3.1, servlet-4.0, appSecurity-2.0, and appSecurity-3.0 features

CVE-2020-4303

6.1

Cross-site scripting

17.0.0.3 - 20.0.0.3

20.0.0.4

Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features

CVE-2020-4304

6.1

Cross-site scripting

17.0.0.3 - 20.0.0.3

20.0.0.4

Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features

CVE-2019-17573

6.1

Cross-site scripting

17.0.0.3 - 20.0.0.2

20.0.0.3

Affects the jaxws-2.2 feature

CVE-2019-12406

5.3

Denial of service

17.0.0.3 - 20.0.0.1

20.0.0.2

Affects the jaxrs-2.0, jaxrs-2.1, and jaxws-2.2 features

CVE-2019-4720

7.5

Denial of service

17.0.0.3 - 20.0.0.1

20.0.0.2

CVE-2019-17495

5.3

Information disclosure

17.0.0.3 - 19.0.0.12

20.0.0.1

Affects the mpOpenAPI-1.0, mpOpenAPI-1.1, and openapi-3.1 features

CVE-2019-4441

5.3

Information disclosure

17.0.0.3 - 19.0.0.10

19.0.0.11

Affects the jsp-2.2 and jsp-2.3 features

CVE-2014-3603

6.8

Spoofing

17.0.0.3 - 19.0.0.10

19.0.0.11

Affects the wsSecurity-1.1 and samlWeb-2.0 features

CVE-2019-9518

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9517

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9515

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9514

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9513

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-9512

7.5

Denial of service

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the servlet-3.1 and servlet-4.0 features

CVE-2019-4304

6.3

Bypass security

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the appSecurity-1.0 and appSecurity-2.0 features

CVE-2019-4305

5.3

Information disclosure

17.0.0.3 - 19.0.0.9

19.0.0.10

Affects the appSecurity-1.0 and appSecurity-2.0 features

CVE-2014-3603

6.5

Man-in-the-Middle

17.0.0.3 - 19.0.0.7

19.0.0.8

Affects the wsSecurity-1.1 and samlWeb-2.0 features

CVE-2019-4046

5.9

Denial of service

17.0.0.3 - 19.0.0.3

19.0.0.4

Affects the servlet-3.1 and servlet-4.0 features

CVE-2018-1902

3.1

Spoofing

17.0.0.3 - 19.0.0.2

19.0.0.3

Affects the servlet-3.1 and servlet-4.0 features

CVE-2018-1901

5.0

Privilege escalation

17.0.0.3 - 18.0.0.3

18.0.0.4

Affects the ldapRegistry-3.0 feature

CVE-2014-7810

5.0

Bypass security

17.0.0.3 - 18.0.0.3

18.0.0.4

Affects the jsp-2.2, jsp-2.3, and el-3.0 features

CVE-2018-8039

7.5

Man-in-the-Middle

17.0.0.3 - 18.0.0.2

18.0.0.3

Affects the jaxws-2.2, jaxrs-2.0, and jaxrs-2.1 features

CVE-2018-1755

5.9

Information disclosure

17.0.0.3 - 18.0.0.2

18.0.0.3

Affects the jaspic-1.1 feature

CVE-2018-1683

5.9

Information disclosure

17.0.0.3 - 18.0.0.2

18.0.0.3

Affects the ejbRemote-3.2 feature

CVE-2017-12624

5.3

Denial of service

17.0.0.3 - 17.0.0.4

18.0.0.1

Affects the jaxws-2.2, jaxrs-2.0, and jaxrs-2.1 features

CVE-2017-1788

5.3

Spoofing

17.0.0.3 - 17.0.0.4

18.0.0.1

Affects any feature that enables security, for example, the appSecurity-2.0, appSecurity-3.0, and restConnector-2.0 features

CVE-2016-100031

9.8

Execute code

17.0.0.3 - 17.0.0.4

18.0.0.1

Affects the servlet-3.1 and servlet-4.0 features