Spoofing attack in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty - CVE-2021-39038

 

Spoofing attack in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty - CVE-2021-39038

Published: February 25, 2022


Vulnerability identifier: #VU60870
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-39038
CWE-ID: CWE-451
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: IBM Corporation
Affected software:
IBM WebSphere Application Server
IBM WebSphere Application Server Liberty

Detailed vulnerability description

The vulnerability allows a remote attacker to perform clickjacking attack.

The vulnerability exists due to incorrect processing of user-supplied data, when REST API discovery is configured through the WebSphere administrative console Web Container settings to enable the API Discovery service, or through IBM WebSphere Application Server Liberty features mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0, apiDiscovery-1.0, openapi-3.0 or openapi-3.1. A remote attacker can perform clickjacking attack.


How to mitigate CVE-2021-39038

Install updates from vendor's website.

Sources