CVE-2020-4163: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server versions 7.0, 8.0, 8.5, and 9.0 were identified with a command execution vulnerability (CVE-2020-4163). The vulnerability was discovered in December 2019 and publicly disclosed in February 2020. Under specialized conditions, this vulnerability could allow an authenticated user to create a maliciously crafted file name which would be misinterpreted as jsp content and executed (IBM Support).

The vulnerability has been assigned a CVSS v3.1 base score of 6.6 with the vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with high attack complexity and high privileges required. The vulnerability is classified under CWE-269 and requires authentication for exploitation (NVD).

If successfully exploited, this vulnerability could allow an authenticated attacker to execute commands on the affected system through misinterpreted JSP content. The impact includes potential compromise of system confidentiality, integrity, and availability on affected WebSphere Application Server installations (IBM Support).

IBM has released fixes for all affected versions. For V9.0.0.0 through 9.0.5.2, users can either upgrade to Fix Pack 9.0.5.3 or later, or apply Interim Fix PH20785. For V8.5.0.0 through 8.5.5.16, users can upgrade to Fix Pack 8.5.5.17 or later, or apply Interim Fix PH20785. For V8.0.0.0 through 8.0.0.15 and V7.0.0.0 through 7.0.0.45, users must upgrade to the latest version within their release and apply Interim Fix PH20785 (IBM Support).