CVE-2024-56339: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty versions 17.0.0.3 through 25.0.0.7 are affected by a security bypass vulnerability (CVE-2024-56339). The vulnerability was disclosed on July 17, 2025, and stems from a failure to honor security configuration, potentially allowing remote attackers to bypass security restrictions (IBM Advisory).

The vulnerability has been assigned CWE-650 (Trusting HTTP Permission Methods on the Server Side). According to the CVSS scoring, IBM Corporation assessed it with a base score of 3.7 LOW (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N), while the NVD assessment indicates a higher severity of 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) (NVD Database).

The vulnerability could allow remote attackers to bypass security restrictions due to the system's failure to properly honor security configurations. This primarily affects the confidentiality of the system, with potential unauthorized access to sensitive information (IBM Advisory, NVD Database).

IBM recommends addressing the vulnerability by either applying an interim fix that resolves APAR PH64682 and APAR PH64683, or upgrading to Fix Pack 25.0.0.8 or later for Liberty (targeted availability 3Q2025), or Fix Pack 9.0.5.26 or later for traditional WebSphere Application Server (targeted availability 4Q2025). No workarounds are available (IBM Advisory).