CVE-2023-38264 MEDIUM

CVE-2023-38264: IBM SDK, Java Technology Edition denial of service

Vendor Ibm

Product SDK, Java Technology Edition

Weakness CWE-502 · Unsafe deserialization

Published May 10, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

The IBM SDK, Java Technology Edition's Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.

Key dates

Disclosure timeline

May 10, 2024 CVE published

August 2, 2024 Record updated

Identifiers

CVE CVE-2023-38264

CWE CWE-502

CVSS 5.9 / MEDIUM

Affected versions

Vendor Ibm

Product SDK, Java Technology Edition

Affected ≥ 7.1.0.0 and ≤ 7.1.5.21

Vendor Ibm

Product SDK, Java Technology Edition

Affected ≥ 8.0.0.0 and ≤ 8.0.8.21