CVE-2024-22320 - OpenCVE

IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Operational Decision Manager

Configuration 1 [-]

OR	cpe:2.3:a:ibm:operational_decision_manager:8.10.3:::::::*
	cpe:2.3:a:ibm:operational_decision_manager:8.10.4:::::::*
	cpe:2.3:a:ibm:operational_decision_manager:8.10.5.1:::::::*
	cpe:2.3:a:ibm:operational_decision_manager:8.11:::::::*
	cpe:2.3:a:ibm:operational_decision_manager:8.11.0.1:::::::*
	cpe:2.3:a:ibm:operational_decision_manager:8.12.0.1:::::::*

No data.

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/279146
https://www.ibm.com/support/pages/node/7112382
https://www.vicarius.io/vsociety/posts/unveiling-cve-2024-22320-a-novices-journey-to-exploiting-java-deserialization-rce-in-ibm-odm

History

Mon, 19 Aug 2024 08:30:00 +0000

Type	Values Removed	Values Added
References		https://www.vicarius.io/vsociety/posts/unveiling-cve-2024-22320-a-novices-journey-to-exploiting-java-deserialization-rce-in-ibm-odm

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2024-02-02T02:16:32.962Z

Updated: 2024-08-19T07:48:08.371Z

Reserved: 2024-01-08T23:41:52.508Z

Link: CVE-2024-22320

Vulnrichment

Updated: 2024-08-19T07:48:08.371Z

NVD

Status : Modified

Published: 2024-02-02T03:15:10.780

Modified: 2024-03-21T02:52:02.607

Link: CVE-2024-22320

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22320", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2024-01-08T23:41:52.508Z", "datePublished": "2024-02-02T02:16:32.962Z", "dateUpdated": "2024-08-19T07:48:08.371Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Operational Decision Manager", "vendor": "IBM", "versions": [{"status": "affected", "version": "8.10.3"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146."}], "value": "IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2024-02-29T18:50:36.341Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.ibm.com/support/pages/node/7112382"}, {"tags": ["vdb-entry"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279146"}], "source": {"discovery": "UNKNOWN"}, "title": "IBM Operational Decision Manager code execution", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "ibm", "product": "operational_decision_manager", "cpes": ["cpe:2.3:a:ibm:operational_decision_manager:8.10.3:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "8.10.3", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-12T22:43:15.480784Z", "id": "CVE-2024-22320", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T22:44:03.646Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:48:08.371Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.ibm.com/support/pages/node/7112382"}, {"tags": ["vdb-entry", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279146"}, {"url": "https://www.vicarius.io/vsociety/posts/unveiling-cve-2024-22320-a-novices-journey-to-exploiting-java-deserialization-rce-in-ibm-odm"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.ibm.com/support/pages/node/7112382", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279146", "tags": ["vdb-entry", "x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/unveiling-cve-2024-22320-a-novices-journey-to-exploiting-java-deserialization-rce-in-ibm-odm"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:48:08.371Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22320", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-12T22:43:15.480784Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:ibm:operational_decision_manager:8.10.3:*:*:*:*:*:*:*"], "vendor": "ibm", "product": "operational_decision_manager", "versions": [{"status": "affected", "version": "8.10.3"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-12T22:44:00.345Z"}}], "cna": {"title": "IBM Operational Decision Manager code execution", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "IBM", "product": "Operational Decision Manager", "versions": [{"status": "affected", "version": "8.10.3"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.ibm.com/support/pages/node/7112382", "tags": ["vendor-advisory"]}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279146", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.", "supportingMedia": [{"type": "text/html", "value": "IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2024-02-29T18:50:36.341Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22320", "state": "PUBLISHED", "dateUpdated": "2024-08-19T07:48:08.371Z", "dateReserved": "2024-01-08T23:41:52.508Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2024-02-02T02:16:32.962Z", "assignerShortName": "ibm"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:operational_decision_manager:8.10.3:*:*:*:*:*:*:*", "matchCriteriaId": "CF279017-9ADC-4249-9956-BF63FD9EBD30", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:operational_decision_manager:8.10.4:*:*:*:*:*:*:*", "matchCriteriaId": "48771A1F-9BCC-44E2-A34C-F5A7F2D73E64", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:operational_decision_manager:8.10.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "E64BDD7B-4A90-4026-A1F3-EEFE5D10DB62", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:operational_decision_manager:8.11:*:*:*:*:*:*:*", "matchCriteriaId": "A246453D-AAB0-4BF0-AE62-CFCBAECC2C6E", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:operational_decision_manager:8.11.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "354E0F39-CA38-4A27-973B-7415C7A40FC2", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:operational_decision_manager:8.12.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "60B60CD2-D71D-43FE-B9AD-A11FE5FC132E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146."}, {"lang": "es", "value": "IBM Operational Decision Manager versiones 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1 y 8.12.0.1 podr\u00edan permitir que un atacante remoto autenticado ejecute c\u00f3digo arbitrario en el sistema, causado por una deserializaci\u00f3n insegura. Al enviar una solicitud especialmente manipulada, un atacante podr\u00eda aprovechar esta vulnerabilidad para ejecutar c\u00f3digo arbitrario en el contexto de SYSTEM. ID de IBM X-Force: 279146."}], "id": "CVE-2024-22320", "lastModified": "2024-03-21T02:52:02.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "psirt@us.ibm.com", "type": "Secondary"}]}, "published": "2024-02-02T03:15:10.780", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/279146"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7112382"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "psirt@us.ibm.com", "type": "Primary"}]}