CVE-2020-4362: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server traditional versions 7.0, 8.0, 8.5, and 9.0 was identified with a privilege escalation vulnerability (CVE-2020-4362) when using token-based authentication in admin requests over the SOAP connector. The vulnerability was initially discovered and reported to IBM by Noxxx at Chaitin Tech, with the initial disclosure made on April 9, 2020 (IBM Security).

The vulnerability received a CVSS Base score of 7.5 with a vector of CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a high severity issue. The technical assessment shows that the vulnerability requires network access, has high attack complexity, requires low privileges, and no user interaction, while potentially impacting confidentiality, integrity, and availability (IBM Security).

The vulnerability could allow an attacker to perform privilege escalation when exploiting the token-based authentication mechanism in admin requests through the SOAP connector. This could potentially lead to unauthorized access to administrative functions and compromise of the affected WebSphere Application Server systems (IBM Security).

IBM released several remediation options including applying Interim Fix PH23853 for various versions after upgrading to minimal fix pack levels. For version 9.0.0.0 through 9.0.5.4, users can either apply the interim fix or upgrade to Fix Pack 9.0.5.5 or later. Similar options were provided for version 8.5.0.0 through 8.5.5.17. For older versions 8.0.0.0 through 8.0.0.15 and 7.0.0.0 through 7.0.0.45, specific upgrade paths were required before applying the interim fix. No workarounds were available, making patch application necessary (IBM Security).