{"api_version":"1","generated_at":"2026-06-27T04:08:46+00:00","cve":"CVE-2018-1755","urls":{"html":"https://cve.report/CVE-2018-1755","api":"https://cve.report/api/cve/CVE-2018-1755.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-1755","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-1755"},"summary":{"title":"CVE-2018-1755","description":"IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is configured to permit access on non-secure (http) port and using JASPIC or JSR375 authentication.","state":"PUBLIC","assigner":"psirt@us.ibm.com","published_at":"2018-08-24 10:29:00","updated_at":"2019-10-09 23:39:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/148597","name":"ibm-websphere-cve20181755-info-disc(148597)","refsource":"XF","tags":["VDB Entry","Vendor Advisory"],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/105150","name":"105150","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"IBM WebSphere Application Server Liberty CVE-2018-1755 Information Disclosure Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.securitytracker.com/id/1041558","name":"1041558","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"IBM WebSphere Application Server Liberty Non-Secure Authentication Lets Remote Users Obtain Potentially Sensitive Information on the Target System - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.ibm.com/support/docview.wss?uid=ibm10728689","name":"https://www.ibm.com/support/docview.wss?uid=ibm10728689","refsource":"CONFIRM","tags":["Patch","Vendor Advisory"],"title":"Security Bulletin: Information disclosure in WebSphere Application Server Liberty (CVE-2018-1755)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-1755","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1755","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"1755","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"websphere_application_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"liberty","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"1755","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ibm","cpe5":"websphere_application_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"liberty","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"psirt@us.ibm.com","DATE_PUBLIC":"2018-08-22T00:00:00","ID":"CVE-2018-1755","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"WebSphere Application Server","version":{"version_data":[{"version_value":"Liberty"}]}}]},"vendor_name":"IBM"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is configured to permit access on non-secure (http) port and using JASPIC or JSR375 authentication."}]},"impact":{"cvssv3":{"BM":{"A":"N","AC":"H","AV":"N","C":"H","I":"N","PR":"N","S":"U","SCORE":"5.900","UI":"N"},"TM":{"E":"U","RC":"C","RL":"O"}}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Obtain Information"}]}]},"references":{"reference_data":[{"name":"ibm-websphere-cve20181755-info-disc(148597)","refsource":"XF","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/148597"},{"name":"1041558","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1041558"},{"name":"https://www.ibm.com/support/docview.wss?uid=ibm10728689","refsource":"CONFIRM","url":"https://www.ibm.com/support/docview.wss?uid=ibm10728689"},{"name":"105150","refsource":"BID","url":"http://www.securityfocus.com/bid/105150"}]}},"nvd":{"publishedDate":"2018-08-24 10:29:00","lastModifiedDate":"2019-10-09 23:39:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.2,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.3},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"1755","Ordinal":"117279","Title":"CVE-2018-1755","CVE":"CVE-2018-1755","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"1755","Ordinal":"1","NoteData":"IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by incorrect transport being used when Liberty is configured to use Java Authentication SPI for Containers (JASPIC). This can happen when the Application Server is configured to permit access on non-secure (http) port and using JASPIC or JSR375 authentication.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"1755","Ordinal":"2","NoteData":"2018-08-24","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"1755","Ordinal":"3","NoteData":"2018-08-28","Type":"Other","Title":"Modified"}]}}}