CVE-2022-22476: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 22.0.0.7 and Open Liberty were identified with a vulnerability that allows identity spoofing by authenticated users. The vulnerability was discovered in early 2022 and was assigned CVE-2022-22476. The issue specifically affects systems with appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, or appSecurity-4.0 features enabled (IBM Security).

The vulnerability has been assigned a CVSS Base score of 5.0 with the vector (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L). This scoring indicates that the vulnerability requires network access, has high attack complexity, needs low privileges, and can impact confidentiality, integrity, and availability at a low level (IBM Security).

When successfully exploited, this vulnerability allows authenticated users to perform identity spoofing through specially crafted requests. This could potentially lead to unauthorized access and impersonation of other users within the system (IBM Security).

IBM recommends addressing the vulnerability by applying the interim fix containing APAR PH47867 or upgrading to Liberty Fix Pack 22.0.0.8 or later. For affected versions (17.0.0.3 - 22.0.0.7), users should upgrade to the minimal fix pack levels as required by the interim fix. No workarounds are available for this vulnerability (IBM Security).