CVE-2023-35890: 
IBM WebSphere App Server vulnerability analysis and mitigation

IBM WebSphere Application Server versions 8.5 and 9.0 were found to contain a security vulnerability (CVE-2023-35890) that could provide weaker than expected security due to improper encoding in a local configuration file. The vulnerability was disclosed on July 6, 2023, specifically affecting versions 9.0.5.15, 9.0.5.16, and 8.5.5.23 (IBM Advisory).

The vulnerability has been assigned a CVSS Base score of 5.5 MEDIUM with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is related to the use of a broken or risky cryptographic algorithm (CWE-327) and requires local access with low attack complexity (NVD).

If exploited, this vulnerability could lead to unauthorized access to sensitive information through improper encoding in a local configuration file. The impact is primarily focused on confidentiality, with no direct impact on integrity or availability of the system (IBM Advisory).

IBM strongly recommends addressing the vulnerability by applying either the interim fix PH54406 or upgrading to newer fix packs. For V9.0.5.15 through 9.0.5.16, users should apply Fix Pack 9.0.5.17 or later. For V8.5.5.23, users should apply Fix Pack 8.5.5.24 or later. No workarounds are available for this vulnerability (IBM Advisory).