CVE-2019-4732: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM SDK, Java Technology Edition versions 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 were found to contain a DLL search order hijacking vulnerability in Microsoft Windows client. This vulnerability was discovered in 2019 and assigned identifier CVE-2019-4732 (NVD, CVE).

The vulnerability is caused by a DLL search order hijacking issue in the Microsoft Windows client implementation. It received a CVSS v3.1 base score of 6.5 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H. The vulnerability requires local access, high privileges, and user interaction to exploit (NVD).

If successfully exploited, this vulnerability could allow a local authenticated attacker to execute arbitrary code on the affected system. The attacker could achieve this by placing a specially-crafted file in a compromised folder (IBM Advisory).

IBM has released fixes for the affected versions: 7.0.10.60, 7.1.4.60, and 8.0.6.5. The fixes are available through the IBM Java Developer Center. IBM customers who received the SDK with an IBM product should contact IBM support for updates. The fix is tracked under APAR number IJ22355 (IBM Advisory).

The vulnerability was reported by Honggang Ren of Fortinet's FortiGuard Labs (IBM Advisory).