CVE-2018-1755

low-risk

Published 2018-08-24

IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is configured to permit access on non-secure (http) port and using JASPIC or JSR375 authentication.

Do I need to act?

0.37% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Websphere Application Server

Affected Vendors

Ibm

References (8)

Third Party Advisory http://www.securityfocus.com/bid/105150

Third Party Advisory http://www.securitytracker.com/id/1041558

VDB Entry https://exchange.xforce.ibmcloud.com/vulnerabilities/148597

Patch https://www.ibm.com/support/docview.wss?uid=ibm10728689

Third Party Advisory http://www.securityfocus.com/bid/105150

Third Party Advisory http://www.securitytracker.com/id/1041558

VDB Entry https://exchange.xforce.ibmcloud.com/vulnerabilities/148597

Patch https://www.ibm.com/support/docview.wss?uid=ibm10728689

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal