CVE-2023-27554 : IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External En

IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 249185.

Published 2023-05-11 20:15:09

Updated 2025-01-24 17:15:11

Source IBM Corporation

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2023-27554

IBM » Websphere Application Server
Versions from including (>=) 8.5.0.0 and before (<) 8.5.5.24
cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*
Matching versions
IBM » Websphere Application Server
Versions from including (>=) 9.0.0.0 and before (<) 9.0.5.16
cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2023-27554

Top countries where our scanners detected CVE-2023-27554

Top open port discovered on systems with this issue 9080

IPs affected by CVE-2023-27554 65

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2023-27554!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2023-27554

EPSS FAQ

0.01%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 1 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-27554

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H	3.9	5.2	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-01-24
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H	3.9	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: High
6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:L	2.1	4.2	IBM Corporation
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: Low

CWE ids for CVE-2023-27554

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Primary)
- psirt@us.ibm.com (Primary)

References for CVE-2023-27554

https://exchange.xforce.ibmcloud.com/vulnerabilities/249185

IBM WebSphere Application Server XML external entity injection CVE-2023-27554 Vulnerability Report
VDB Entry;Vendor Advisory
https://www.ibm.com/support/pages/node/6989451

Security Bulletin: IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554)
Patch;Vendor Advisory