CVE-2023-27554: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server versions 8.5 and 9.0 were identified with a vulnerability (CVE-2023-27554) related to XML External Entity (XXE) Injection. The vulnerability was discovered and reported by Mateusz Dabrowski and Tomasz Stachowicz, with initial publication on May 10, 2023. This security flaw affects the application server's XML data processing capabilities (IBM Advisory).

The vulnerability is classified as an XML External Entity (XXE) Injection attack vector with a CVSS v3.1 base score of 9.1 (CRITICAL) according to NIST NVD assessment, though IBM's internal assessment rated it at 6.3 (MEDIUM). The vulnerability is tracked under CWE-611 (Improper Restriction of XML External Entity Reference). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L) (NVD).

If exploited, this vulnerability could allow remote attackers to expose sensitive information or consume memory resources. The potential impact includes high confidentiality breach and high availability impact, though no integrity impact has been reported (NVD, IBM Advisory).

IBM recommends addressing the vulnerability by applying the interim fix PH53252 or upgrading to specific fix pack versions. For V9.0.0.0 through 9.0.5.15, users should upgrade to Fix Pack 9.0.5.16 or later. For V8.5.0.0 through 8.5.5.23, users should upgrade to Fix Pack 8.5.5.24 or later. No workarounds are available for this vulnerability (IBM Advisory).