CVE-2024-22320

IBM Operational Decision Manager code execution

CVSS 9.8 CRITICALEPSS 73.4%CWE-502

In short

IBM Operational Decision Manager has a flaw that allows authenticated users to run malicious code on the server by sending specially crafted requests. This happens because the software unsafely processes serialized data, making it a critical security risk.

Technical detail

CVE-2024-22320 is an unsafe deserialization vulnerability (CWE-502) in IBM ODM 8.10.3 that permits authenticated remote attackers to achieve arbitrary code execution with SYSTEM privileges. The attack vector involves sending malicious serialized objects that are deserialized without proper validation, leading to instantiation of attacker-controlled code.

Summary generated and translated by AI from the official description.

IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization. By sending specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code in the context of SYSTEM. IBM X-Force ID: 279146.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

IBM · Operational Decision Manager

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/279146 https://www.ibm.com/support/pages/node/7112382 https://www.vicarius.io/vsociety/posts/unveiling-cve-2024-22320-a-novices-journey-to-exploiting-java-deserialization-rce-in-ibm-odm