CVE-2022-34165 - OpenCVE

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 are vulnerable to HTTP header injection, caused by improper validation. This could allow an attacker to conduct various attacks against the vulnerable system, including cache poisoning and cross-site scripting. IBM X-Force ID: 229429.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Oracle	Solaris
Ibm	Websphere Application Server Aix I Z\/os
Microsoft	Windows
Linux	Linux Kernel
Hp	Hp-ux
Apple	Macos

Configuration 1 [-]

AND

OR	cpe:2.3:a:ibm:websphere_application_server::::::::
	cpe:2.3:a:ibm:websphere_application_server::::::::
	cpe:2.3:a:ibm:websphere_application_server::::::::
	cpe:2.3:a:ibm:websphere_application_server::::::::
	cpe:2.3:a:ibm:websphere_application_server:::::liberty:::*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:hp:hp-ux:-:::::::*
	cpe:2.3:o:ibm:aix:-:::::::*
	cpe:2.3:o:ibm:i:-:::::::*
	cpe:2.3:o:ibm:z\/os:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*
	cpe:2.3:o:oracle:solaris:-::::::-:

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/229429	VDB Entry Vendor Advisory
https://www.ibm.com/support/pages/node/6618747	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ibm

Published: 2022-09-07T00:00:00

Updated: 2022-09-09T16:00:15

Reserved: 2022-06-20T00:00:00

Link: CVE-2022-34165

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-09T16:15:08.933

Modified: 2023-08-08T14:21:49.707

Link: CVE-2022-34165

JSON object: View

Redhat Information

No data.

CWE

CWE-74

{"containers": {"cna": {"affected": [{"product": "WebSphere Application Server", "vendor": "IBM", "versions": [{"status": "affected", "version": "7.0"}, {"status": "affected", "version": "8.0"}, {"status": "affected", "version": "8.5"}, {"status": "affected", "version": "9.0"}]}, {"product": "WebSphere Application Server Liberty", "vendor": "IBM", "versions": [{"status": "affected", "version": "17.0.0.3"}, {"status": "affected", "version": "22.0.0.9"}]}], "datePublic": "2022-09-07T00:00:00", "descriptions": [{"lang": "en", "value": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 are vulnerable to HTTP header injection, caused by improper validation. This could allow an attacker to conduct various attacks against the vulnerable system, including cache poisoning and cross-site scripting. IBM X-Force ID: 229429."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "LOW", "privilegesRequired": "LOW", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 4.7, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/UI:N/PR:L/I:L/A:N/C:L/AV:N/AC:L/S:U/E:U/RC:C/RL:O", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Gain Access", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-09T16:00:15", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/pages/node/6618747"}, {"name": "ibm-websphere-cve202234165-http-injection (229429)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/229429"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2022-09-07T00:00:00", "ID": "CVE-2022-34165", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "WebSphere Application Server", "version": {"version_data": [{"version_value": "7.0"}, {"version_value": "8.0"}, {"version_value": "8.5"}, {"version_value": "9.0"}]}}, {"product_name": "WebSphere Application Server Liberty", "version": {"version_data": [{"version_value": "17.0.0.3"}, {"version_value": "22.0.0.9"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 are vulnerable to HTTP header injection, caused by improper validation. This could allow an attacker to conduct various attacks against the vulnerable system, including cache poisoning and cross-site scripting. IBM X-Force ID: 229429."}]}, "impact": {"cvssv3": {"BM": {"A": "N", "AC": "L", "AV": "N", "C": "L", "I": "L", "PR": "L", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Gain Access"}]}]}, "references": {"reference_data": [{"name": "https://www.ibm.com/support/pages/node/6618747", "refsource": "CONFIRM", "title": "IBM Security Bulletin 6618747 (WebSphere Application Server Liberty)", "url": "https://www.ibm.com/support/pages/node/6618747"}, {"name": "ibm-websphere-cve202234165-http-injection (229429)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/229429"}]}}}}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-34165", "datePublished": "2022-09-07T00:00:00", "dateReserved": "2022-06-20T00:00:00", "dateUpdated": "2022-09-09T16:00:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "9FBC4C46-A044-4A5C-80EF-2BCBF9351CEB", "versionEndIncluding": "7.0.0.45", "versionStartIncluding": "7.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "E596AE8A-34AD-43F3-A97E-DC79CE517C8B", "versionEndIncluding": "8.0.0.15", "versionStartIncluding": "8.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "27F39A37-71C5-4498-9505-4730DA63978F", "versionEndIncluding": "8.5.5.22", "versionStartIncluding": "8.5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D22980A-8DA4-4E08-9140-23E24B141939", "versionEndIncluding": "9.0.5.13", "versionStartIncluding": "9.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*", "matchCriteriaId": "915EF429-C292-4100-B22B-D7F84E644592", "versionEndExcluding": "22.0.0.9", "versionStartIncluding": "17.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:hp:hp-ux:-:*:*:*:*:*:*:*", "matchCriteriaId": "F480AA32-841A-4E68-9343-B2E7548B0A0C", "vulnerable": false}, {"criteria": "cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*", "matchCriteriaId": "E492C463-D76E-49B7-A4D4-3B499E422D89", "vulnerable": false}, {"criteria": "cpe:2.3:o:ibm:i:-:*:*:*:*:*:*:*", "matchCriteriaId": "C684FC45-C9BA-4EF0-BD06-BB289450DD21", "vulnerable": false}, {"criteria": "cpe:2.3:o:ibm:z\\/os:-:*:*:*:*:*:*:*", "matchCriteriaId": "0E97A964-6F9E-4C87-9B90-21AE2C1DF52F", "vulnerable": false}, {"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}, {"criteria": "cpe:2.3:o:oracle:solaris:-:*:*:*:*:*:-:*", "matchCriteriaId": "F5027746-8216-452D-83C5-2F8E9546F2A5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9 are vulnerable to HTTP header injection, caused by improper validation. This could allow an attacker to conduct various attacks against the vulnerable system, including cache poisoning and cross-site scripting. IBM X-Force ID: 229429."}, {"lang": "es", "value": "IBM WebSphere Application Server versiones 7.0, 8.0, 8.5 y 9.0 e IBM WebSphere Application Server Liberty versiones 17.0.0.3 a 22.0.0.9 son vulnerables a una inyecci\u00f3n de encabezados HTTP, causada por una comprobaci\u00f3n inapropiada. Esto podr\u00eda permitir a un atacante conducir varios ataques contra el sistema vulnerable, incluyendo el envenenamiento de la cach\u00e9 y ataques de tipo cross-site scripting. ID de IBM X-Force ID: 229429"}], "id": "CVE-2022-34165", "lastModified": "2023-08-08T14:21:49.707", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "psirt@us.ibm.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-09T16:15:08.933", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/229429"}, {"source": "psirt@us.ibm.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/6618747"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}