CVE-2021-20480: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server versions 7.0, 8.0, and 8.5 were identified with a server-side request forgery (SSRF) vulnerability tracked as CVE-2021-20480. The vulnerability was discovered and reported to IBM by Kylinking of Ant FG Security Lab, with the initial disclosure made on April 7, 2021 (IBM Advisory).

The vulnerability allows remote authenticated attackers to send specially crafted requests that could lead to unauthorized access to sensitive data. The severity of this vulnerability is rated as MEDIUM with a CVSS v3.1 Base Score of 6.5 (NIST) and 4.3 (IBM), with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) (NVD).

If exploited, this vulnerability could allow an authenticated attacker to obtain sensitive data through server-side request forgery attacks. The impact primarily affects the confidentiality of the system, with no direct impact on integrity or availability (IBM Advisory).

IBM has released fixes for all affected versions. For WebSphere Application Server 8.5.0.0 through 8.5.5.19, users can either upgrade to Fix Pack 8.5.5.20 or later, or apply Interim Fix PH33994. For version 8.0.0.0 through 8.0.0.15, users should upgrade to 8.0.0.15 and apply Interim Fix PH33994. For version 7.0.0.0 through 7.0.0.45, users need to upgrade to 7.0.0.45 and apply Interim Fix PH33994. No workarounds are available for this vulnerability (IBM Advisory).