The flaw in IBM WebSphere Application Server 8.5 and 9.0 resides in the Ajax Proxy component and permits a server‑side request forgery (SSRF). An attacker can cause the server to issue outbound HTTP requests to arbitrary destinations, potentially accessing internal resources or exposing sensitive data. The impact covers confidentiality and integrity because the attacker can read or modify data on internal services or abuse the server as a pivot to attack other hosts.

IBM WebSphere Application Server versions 8.5.0.0 through 8.5.5.29 and 9.0.0.0 through 9.0.5.28 are affected. To mitigate the vulnerability, users should upgrade to at least fix pack 8.5.5.30 for 8.5 or fix pack 9.0.5.29 for 9.0, or apply the interim fix for APAR PH71556 that is available on IBM’s support site.

The CVSS score of 7.4 indicates a high severity threat. EPSS data is not available, so the current likelihood of exploitation is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, SSRF can be triggered when the Ajax Proxy is reachable and accepts requests containing attacker‑controlled URLs. An attacker who can reach the Server’s Ajax Proxy endpoint could abuse the server to launch requests to internal or external networks, potentially exposing confidential information or enabling further attacks. The CVE does not specify a public bug‑bounty or exploit example, but the flavor of SSRF vulnerabilities suggests that multiple exploitation scenarios remain possible once the attack surface is available.