CVE-2021-39038: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 are affected by a clickjacking vulnerability identified as CVE-2021-39038. The vulnerability is present when REST API discovery is configured through the WebSphere administrative console Web Container settings or through specific Liberty features including mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0, apiDiscovery-1.0, openapi-3.0, or openapi-3.1 (IBM Security Bulletin).

The vulnerability has been assigned a CVSS Base score of 4.4 with the vector (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N). This indicates that the vulnerability requires network access, high attack complexity, low privileges, user interaction, and can affect resources beyond the security scope of the affected component, with low impact on confidentiality and integrity (IBM Security Bulletin).

If exploited, this vulnerability could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious website, an attacker could exploit this vulnerability to hijack the victim's click actions and potentially launch further attacks against the victim (NVD).

IBM recommends addressing the vulnerability by applying currently available interim fix or fix pack containing APAR PH43223 and PH43760. For Liberty users, upgrading to Fix Pack 22.0.0.3 or later is recommended. For traditional WebSphere Application Server V9.0.0.0 through 9.0.5.11, users should upgrade to Fix Pack 9.0.5.12 or later, or apply Interim Fix PH43760 (IBM Security Bulletin).