Impact
The vulnerability is a server‑side request forgery that occurs when the adminCenter‑1.0 feature is enabled in IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.7. An attacker can cause the server to issue requests to arbitrary URLs, potentially accessing internal resources, exfiltrating data, or performing denial‑of‑service actions. This flaw corresponds to CWE‑918 and can be significant if the application has privileged network access.
Affected Systems
IBM WebSphere Application Server Liberty is affected, with the vulnerable releases being 17.0.0.3 up to 26.0.0.7 when the adminCenter‑1.0 feature is enabled. Other versions of Liberty outside this range or with the feature disabled are not impacted.
Risk and Exploitability
The CVSS score of 7.1 indicates moderate to high risk. The EPSS score is not available, and the issue is not currently listed in the CISA KEV catalog. The likely attack vector is remote through the WebSphere administrative console or APIs that access the adminCenter‑1.0 feature. An attacker would need to interact with the application’s server‑side code that processes outbound requests; no local privilege escalation is required.
OpenCVE Enrichment