IBM Java ORB 7.1.0-8.0.8 DDoS: JEP290 filter bypass
CVE-2023-38264 Published on May 14, 2024
IBM SDK, Java Technology Edition denial of service
The IBM SDK, Java Technology Edition's Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.
Vulnerability Analysis
CVE-2023-38264 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2023-38264 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2023-38264
Want to know whenever a new CVE is published for IBM Java Software Development Kit? stack.watch will email you.
Affected Versions
IBM SDK, Java Technology Edition:- Version 7.1.0.0, <= 7.1.5.21 is affected.
- Version 8.0.0.0, <= 8.0.8.21 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.