Impact
A path traversal flaw in IBM WebSphere Application Server allows a remote attacker to read files accessed by the administrative console’s integrated help system. The vulnerability is a classic example of CWE‑22, where an attacker can construct URLs that reference directories outside the intended file space. The resulting information disclosure can expose configuration data, log files, or other sensitive artifacts that the web application server processes, potentially aiding further compromise.
Affected Systems
The affected products are IBM WebSphere Application Server versions 8.5.0 through 8.5.5.30 and 9.0.0 through 9.0.5.28. IBM recommends applying the interim fix or an appropriate fix pack (8.5.5.31 or later, 9.0.5.29 or later) to eliminate the path traversal issue.
Risk and Exploitability
The vulnerability receives a CVSS score of 4.3, indicating moderate severity. EPSS data is unavailable, and it is not listed in the CISA KEV catalog, suggesting no currently known large‑scale exploits. The attack vector is remote, accessed via the administrative console’s integrated help system, meaning an attacker only needs network reach to the console to exploit the flaw and read restricted files.
OpenCVE Enrichment