IBM WebSphere Application Server Liberty using openidConnectServer feature could allow spoofing identity by an authenticated user. This has been addressed.
CVEID:CVE-2020-4421
**DESCRIPTION:**IBM WebSphere Application Liberty could allow an authenticated user using openidconnect to spoof another users identify.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180084 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
WebSphere Application Server Liberty | 19.0.0.5-20.0.0.4 |
The recommended solution is to apply the interim fix or FixPack containing APAR PH24154 for each named product as soon as practical.
For WebSphere Application Server Liberty 19.0.0.5-20.0.0.4 using the openidConnectServer-1.0 feature:
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH24154
--ORโ
ยท Apply Liberty Fix Pack 20.0.0.5 or later.
Additional interim fixes may be available and linked off the interim fix download page.
None