IBMD66BF551C14C55DC0AA1856B1D7598EAB07083397426410BF3EB8A88D00F7BDASecurity Bulletin: Potential spoofing attack in WebSphere Application Server (CVE-2020-4421)
EPSS
Percentile
19.6%
Summary
IBM WebSphere Application Server Liberty using openidConnectServer feature could allow spoofing identity by an authenticated user. This has been addressed.
Vulnerability Details
CVEID:CVE-2020-4421
**DESCRIPTION:**IBM WebSphere Application Liberty could allow an authenticated user using openidconnect to spoof another users identify.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180084 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| WebSphere Application Server Liberty | 19.0.0.5-20.0.0.4 |
Remediation/Fixes
The recommended solution is to apply the interim fix or FixPack containing APAR PH24154 for each named product as soon as practical.
For WebSphere Application Server Liberty 19.0.0.5-20.0.0.4 using the openidConnectServer-1.0 feature:
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH24154
--ORโ
ยท Apply Liberty Fix Pack 20.0.0.5 or later.
Additional interim fixes may be available and linked off the interim fix download page.
Workarounds and Mitigations
None
Related
EPSS
Percentile
19.6%