## IBM WebSphere EDataGraphImpl Deserialization of Untrusted Data Information Disclosure Vulnerability - **Vulnerability IDs:** ZDI-21-174, ZDI-CAN-12478 - **CVE ID:** CVE-2021-20353 - **CVSS Score:** 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) - **Affected Vendor:** IBM - **Affected Product:** WebSphere ### Vulnerability Details - This vulnerability allows remote attackers to disclose sensitive information on affected installations of IBM WebSphere. No authentication is required to exploit this vulnerability. - The flaw is within the EDataGraphImpl class due to improper validation of user-supplied data, leading to deserialization of untrusted data. An attacker can leverage this to disclose information in the context of root. ### Additional Details - IBM has issued an update to correct this vulnerability. More details can be found at: [https://www.ibm.com/support/pages/node/6413709](https://www.ibm.com/support/pages/node/6413709) ### Disclosure Timeline - 2020-12-11: Vulnerability reported to vendor - 2021-02-10: Coordinated public release of advisory ### Credit - r00t4dm at Cloud-Penetrating Arrow Lab and Longofo at Knownsec 404 Team