VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 18, 2014· Updated May 6, 2026

CVE-2014-8890

CVE-2014-8890

Description

IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 allows remote attackers to gain privileges by leveraging the combination of a servlet's deployment descriptor security constraints and ServletSecurity annotations.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 allows privilege escalation via conflicting security constraints in deployment descriptor and ServletSecurity annotations.

Vulnerability

IBM WebSphere Application Server Liberty Profile 8.5.x prior to 8.5.5.4 is vulnerable to a privilege escalation issue. The vulnerability arises when a servlet defines security constraints both in its deployment descriptor (web.xml) and via @ServletSecurity annotations. The conflicting constraints can be exploited to bypass intended access controls, allowing unauthorized access to protected resources [1].

Exploitation

An attacker with remote network access can exploit this vulnerability without prior authentication, though the attack complexity is high (CVSSv2: AV:N/AC:H/Au:N). The attacker must craft a request that triggers the servlet with conflicting security constraints, causing the server to apply a weaker constraint than intended. No special privileges or user interaction are required [1].

Impact

Successful exploitation allows the attacker to gain elevated privileges on the system, potentially leading to partial compromise of confidentiality, integrity, and availability (CVSSv2 base score 5.1). The attacker may access sensitive data, modify resources, or disrupt services within the scope of the affected application [1].

Mitigation

The vulnerability is fixed in IBM WebSphere Application Server Liberty Profile 8.5.5.4. For the Full Profile and Version 8.0, fixes are available in Fix Pack 5 (8.5.5.5) and Fix Pack 11 (8.0.0.11), respectively [1]. As a workaround, administrators can combine the security constraints from both the deployment descriptor and annotations into the web.xml file to eliminate conflicts [1]. No other mitigations are known.

References
  1. Security Bulletin: Multiple Security Vulnerabilities fixed in IBM WebSphere Application Server 8.0.0.11

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • IBM/Websphere Application Server7 versions
    cpe:2.3:a:ibm:websphere_application_server:8.5.0.0:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:a:ibm:websphere_application_server:8.5.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:ibm:websphere_application_server:8.5.5.3:*:*:*:*:*:*:*
  • IBM/WebSphere Application Server Liberty Profilellm-fuzzy
    Range: <8.5.5.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.