MFSBGN03809 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF
Description
UCMDB Browser versions 4.10–4.15.1 contain a CSRF vulnerability that leads to unsafe deserialization, potentially enabling remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
UCMDB Browser versions 4.10–4.15.1 contain a CSRF vulnerability that leads to unsafe deserialization, potentially enabling remote code execution.
Vulnerability
A remote cross-site request forgery (CSRF) vulnerability has been identified in Micro Focus Universal CMDB (UCMDB) Browser versions 4.10, 4.11, 4.12, 4.13, 4.14, 4.15, and 4.15.1 [1]. The vulnerability is present in the browser component and can lead to unsafe deserialization of Java objects when combined with a crafted CSRF attack [1]. No special configuration is required for the code path to be reachable; the user must be authenticated to the UCMDB Browser [1].
Exploitation
An attacker must trick an authenticated user into clicking a malicious link or visiting a crafted web page [1]. The attacker does not need network access to the UCMDB instance itself, but the user's session must be active against the browser interface [1]. The CSRF attack triggers a state-changing request that in turn performs unsafe deserialization of attacker-supplied Java objects [1]. The exact sequence of steps is not publicly detailed, but the combined CSRF and deserialization attack is remotely exploitable with user interaction [1].
Impact
Successful exploitation allows an attacker to achieve arbitrary code execution on the server running the UCMDB Browser [1]. According to the CVSS v3.0 vector, the attack can compromise confidentiality, integrity, and availability (CIA) at a high severity (base score 7.5) [1]. The attacker gains the ability to execute malicious code in the context of the UCMDB Browser application, potentially leading to full server compromise [1].
Mitigation
Micro Focus released a fix as part of a security bulletin on June 15, 2018 [1]. Customers should upgrade to the latest patched version of UCMDB Browser; the bulletin does not specify a fixed version number, but the vulnerability was resolved shortly after disclosure [1]. If patching is not immediately possible, Micro Focus recommends restricting access to the UCMDB Browser to trusted networks and enforcing strong authentication [1]. The CVE was not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
24.10, 4.11, 4.12, 4.13, 4.14, 4.15, 4.15.1+ 1 more
- (no CPE)range: 4.10, 4.11, 4.12, 4.13, 4.14, 4.15, 4.15.1
- (no CPE)range: 4.10, 4.11, 4.12, 4.13, 4.14, 4.15, 4.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- www.securityfocus.com/bid/104483mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041139mitrevdb-entryx_refsource_SECTRACK
- softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03180066mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.