IBM WebSphere EDataGraphImpl Deserialization of Untrusted Data Information Disclosure Vulnerability Vulnerability IDs: ZDI-21-174, ZDI-CAN-12478 CVE ID: CVE-2021-20353 CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Vendor: IBM Affected Product: WebSphere Vulnerability Details This vulnerability allows remote attackers to disclose sensitive information on affected installations of IBM WebSphere. No authentication is required to exploit this vulnerability. The flaw is within the EDataGraphImpl class due to improper validation of user-supplied data, leading to deserialization of untrusted data. An attacker can leverage this to disclose information in the context of root. Additional Details IBM has issued an update to correct this vulnerability. More details can be found at: https://www.ibm.com/support/pages/node/6413709 Disclosure Timeline 2020-12-11: Vulnerability reported to vendor 2021-02-10: Coordinated public release of advisory Credit r00t4dm at Cloud-Penetrating Arrow Lab and Longofo at Knownsec 404 Team