Security vulnerability (CVE) list
The Common Vulnerabilities and Exposures (CVE) system is a reference of publicly known network vulnerabilities that is maintained by the US National Institute of Standards and Technology (NIST). The CVE list catalogs known cybersecurity vulnerabilities.
The following table lists the CVEs that affect Open Liberty, ordered by the release in which they were fixed. The table also includes the Liberty features that are affected by each CVE. You can determine whether your Liberty configuration might be affected by a CVE by reviewing the features that are installed and running on your server. Occasionally, Liberty features that are not specified in the server.xml
file are enabled automatically by other features. To confirm whether a particular feature is enabled in a Liberty server, inspect the CWWKF0012I
message in the console.log
, messages.log
, or trace.log
files from the Liberty server. This message provides a comprehensive list of all the features that are installed and running on the Liberty server.
CWWKF0012I: The server installed the following features: [appSecurity-2.0, distributedMap-1.0, jndi-1.0, samlWeb-2.0, ssl-1.0].
The CWWKF0012I
message uses the word "installed", but it lists features that are both installed and running on the Liberty server.
CVE | CVSS score by X-Force® | Vulnerability assessment | Versions affected | Version fixed | Notes |
---|---|---|---|---|---|
5.3 | Information disclosure | 17.0.0.3 - 24.0.0.8 | 24.0.0.9 | ||
7.0 | XML External Entity (XXE) injection | 17.0.0.3 - 24.0.0.5 | 24.0.0.6 | ||
5.9 | Denial of service | 18.0.0.2 - 24.0.0.4 | 24.0.0.5 | Affects the servlet-3.1, servlet-4.0, servlet-5.0 and servlet-6.0 features | |
5.9 | Denial of service | 17.0.0.3 - 24.0.0.4 | 24.0.0.5 | Affects the openidConnectClient-1.0, and socialLogin-1.0 features | |
5.9 | Denial of service | 17.0.0.3 - 24.0.0.4 | 24.0.0.5 | Affects the servlet-3.1, servlet-4.0, servlet-5.0 and servlet-6.0 features | |
7.5 | Denial of service | 21.0.0.3 - 24.0.0.3 | 24.0.0.4 | Affects the openidConnectClient-1.0, socialLogin-1.0, mpJwt-1.2, mpJwt-2.0, mpJwt-2.1, jwt-1.0 features | |
4.7 | Cross-site scripting | 23.0.0.3 - 24.0.0.3 | 24.0.0.4 | Affects the servlet-6.0 feature | |
5.3 | Weaker security | 17.0.0.3 - 24.0.0.2 | 24.0.0.3 | ||
7.5 | Denial of service | 18.0.0.2 - 23.0.0.11 | 23.0.0.12 | Affects the servlet-3.1, servlet-4.0, servlet-5.0 and servlet-6.0 features | |
6.5 | Information disclosure | 17.0.0.3 - 23.0.0.11 | 23.0.0.12 | Affects the wsSecurity-1.1, wsSecuritySaml-1.1 and samlWeb-2.0 features | |
4.9 | Weaker security | 23.0.0.9 - 23.0.0.10 | 23.0.0.11 | Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 and appSecurity-5.0 features | |
5.9 | Denial of service | 22.0.0.13 - 23.0.0.7 | 23.0.0.8 | Affects the restfulWS-3.0 and restfulWS-3.1 features | |
7.5 | Denial of service | 17.0.0.3 - 23.0.0.5 | 23.0.0.6 | Affects the mpGraphQL-1.0 and mpGraphQL-2.0 features | |
7.5 | Denial of service | 17.0.0.3 - 23.0.0.3 | 23.0.0.4 | Affects the servlet-3.1, servlet-4.0, servlet-5.0 and servlet-6.0 features | |
5.3 | Privilege escalation | 21.0.0.12 - 23.0.0.3 | 23.0.0.4 | Affects the restfulWS-3.0 and restfulWS-3.1 features | |
5.5 | Information disclosure | 21.0.0.12 - 23.0.0.1 | 23.0.0.2 | Affects the restfulWS-3.0 feature | |
9.8 | Server-side request forgery | 17.0.0.3 - 23.0.0.1 | 23.0.0.2 | Affects the jaxws-2.2 feature | |
5.7 | Denial of service | 21.0.0.2 - 22.0.0.12 | 22.0.0.13 | Affects the grpc-1.0 and grpcClient-1.0 features | |
5.7 | Denial of service | 21.0.0.2 - 22.0.0.12 | 22.0.0.13 | Affects the grpc-1.0 and grpcClient-1.0 features | |
7.5 | Denial of service | 17.0.0.3 - 22.0.0.11 | 22.0.0.12 | Affects the mpGraphQL-1.0 and mpGraphQL-2.0 features | |
7.5 | Denial of service | 17.0.0.3 - 22.0.0.10 | 22.0.0.11 | Affects the openid-2.0 feature | |
5.4 | HTTP header injection | 17.0.0.3 - 22.0.0.9 | 22.0.0.10 | ||
5 | Identity spoofing | 17.0.0.3 - 22.0.0.7 | 22.0.0.8 | Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 and appSecurity-4.0 features | |
7.1 | Identity spoofing | 17.0.0.3 - 22.0.0.5 | 22.0.0.6 | Affects the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0 and appSecurity-4.0 features | |
3.1 | Information disclosure | 17.0.0.3 - 22.0.0.5 | 22.0.0.6 | Affects the adminCenter-1.0 feature | |
4.4 | Clickjacking vulnerability | 17.0.0.3 - 22.0.0.2 | 22.0.0.3 | Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1 and mpOpenAPI-2.0 features | |
9.8 | Remote code execution | 17.0.0.3 - 22.0.0.2 | 22.0.0.3 | Affects the admin-Center-1.0 feature | |
4.3 | Clickjacking | 21.0.0.12 - 22.0.0.1 | 22.0.0.2 | Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0 and mpOpenAPI-3.0 features | |
5.4 | Spoofing attack | 21.0.0.12 - 22.0.0.1 | 22.0.0.2 | Affects the openapi-3.1, mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0 and mpOpenAPI-3.0 features | |
7.5 | LDAP injection | 17.0.0.3 - 22.0.0.1 | 22.0.0.2 | Affects the ldapRegistry-3.0 feature | |
4.8 | Information disclosure | 21.0.0.10 - 21.0.0.12 | 22.0.0.1 | Affects the jaxws-2.2 feature | |
7.5 | Denial of service | 17.0.0.3 - 21.0.0.9 | 21.0.0.10 | ||
5.5 | Denial of service | 17.0.0.3 - 21.0.0.9 | 21.0.0.10 | ||
3.7 | Information disclosure | 17.0.0.3 - 21.0.0.9 | 21.0.0.10 | Affects the federatedRegistry-1.0 feature | |
8.8 | Cross-site request forgery | 17.0.0.3 - 21.0.0.3 | 21.0.0.4 | ||
5.3 | Bypass security | 17.0.0.3 - 20.0.0.10 | 20.0.0.11 | Affects the beanValidation-2.0 feature | |
5.3 | Denial of service | 19.0.0.5 - 20.0.0.9 | 20.0.0.10 | Affects the oauth-2.0 and openidConnectServer-1.0 features | |
5 | Identity spoofing | 19.0.0.5 - 20.0.0.4 | 20.0.0.5 | Affects the openidConnectServer-1.0 feature | |
4.3 | Information disclosure | 17.0.0.3 - 20.0.0.4 | 20.0.0.5 | Affects the servlet-3.1, servlet-4.0, appSecurity-2.0, and appSecurity-3.0 features | |
6.1 | Cross-site scripting | 17.0.0.3 - 20.0.0.3 | 20.0.0.4 | Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features | |
6.1 | Cross-site scripting | 17.0.0.3 - 20.0.0.3 | 20.0.0.4 | Affects the oauth-2.0, openidConnectClient-1.0, openidConnectServer-1.0, and samlWeb-2.0 features | |
6.1 | Cross-site scripting | 17.0.0.3 - 20.0.0.2 | 20.0.0.3 | Affects the jaxws-2.2 feature | |
5.3 | Denial of service | 17.0.0.3 - 20.0.0.1 | 20.0.0.2 | ||
7.5 | Denial of service | 17.0.0.3 - 20.0.0.1 | 20.0.0.2 | ||
5.3 | Information disclosure | 17.0.0.3 - 19.0.0.12 | 20.0.0.1 | Affects the mpOpenAPI-1.0, mpOpenAPI-1.1, and openapi-3.1 features | |
5.3 | Information disclosure | 17.0.0.3 - 19.0.0.10 | 19.0.0.11 | ||
6.8 | Spoofing | 17.0.0.3 - 19.0.0.10 | 19.0.0.11 | Affects the wsSecurity-1.1 and samlWeb-2.0 features | |
7.5 | Denial of service | 17.0.0.3 - 19.0.0.9 | 19.0.0.10 | Affects the servlet-3.1 and servlet-4.0 features | |
7.5 | Denial of service | 17.0.0.3 - 19.0.0.9 | 19.0.0.10 | Affects the servlet-3.1 and servlet-4.0 features | |
7.5 | Denial of service | 17.0.0.3 - 19.0.0.9 | 19.0.0.10 | Affects the servlet-3.1 and servlet-4.0 features | |
7.5 | Denial of service | 17.0.0.3 - 19.0.0.9 | 19.0.0.10 | Affects the servlet-3.1 and servlet-4.0 features | |
7.5 | Denial of service | 17.0.0.3 - 19.0.0.9 | 19.0.0.10 | Affects the servlet-3.1 and servlet-4.0 features | |
7.5 | Denial of service | 17.0.0.3 - 19.0.0.9 | 19.0.0.10 | Affects the servlet-3.1 and servlet-4.0 features | |
6.3 | Bypass security | 17.0.0.3 - 19.0.0.9 | 19.0.0.10 | Affects the appSecurity-1.0 and appSecurity-2.0 features | |
5.3 | Information disclosure | 17.0.0.3 - 19.0.0.9 | 19.0.0.10 | Affects the appSecurity-1.0 and appSecurity-2.0 features | |
6.5 | Man-in-the-Middle | 17.0.0.3 - 19.0.0.7 | 19.0.0.8 | Affects the wsSecurity-1.1 and samlWeb-2.0 features | |
5.9 | Denial of service | 17.0.0.3 - 19.0.0.3 | 19.0.0.4 | Affects the servlet-3.1 and servlet-4.0 features | |
3.1 | Spoofing | 17.0.0.3 - 19.0.0.2 | 19.0.0.3 | Affects the servlet-3.1 and servlet-4.0 features | |
5.0 | Privilege escalation | 17.0.0.3 - 18.0.0.3 | 18.0.0.4 | Affects the ldapRegistry-3.0 feature | |
5.0 | Bypass security | 17.0.0.3 - 18.0.0.3 | 18.0.0.4 | ||
7.5 | Man-in-the-Middle | 17.0.0.3 - 18.0.0.2 | 18.0.0.3 | ||
5.9 | Information disclosure | 17.0.0.3 - 18.0.0.2 | 18.0.0.3 | Affects the jaspic-1.1 feature | |
5.9 | Information disclosure | 17.0.0.3 - 18.0.0.2 | 18.0.0.3 | Affects the ejbRemote-3.2 feature | |
5.3 | Denial of service | 17.0.0.3 - 17.0.0.4 | 18.0.0.1 | ||
5.3 | Spoofing | 17.0.0.3 - 17.0.0.4 | 18.0.0.1 | Affects any feature that enables security, for example, the appSecurity-2.0, appSecurity-3.0, and restConnector-2.0 features | |
9.8 | Execute code | 17.0.0.3 - 17.0.0.4 | 18.0.0.1 | Affects the servlet-3.1 and servlet-4.0 features |