Description
IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On component. This could result in remote code execution via a crafted HTTP request when combined with a suitable gadget chain.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected products
- ibm / websphere_application_server9.0 – 9.0
- ibm / websphere_application_server9.0.0 – 9.0.0
- ibm / websphere_application_server8.5 – 8.5
- ibm / websphere_application_server8.5.0 – 8.5.0