CVE-2020-5016

Name of the Vulnerable Software and Affected Versions IBM WebSphere Application Server versions 7.0 through 9.0

Description The issue allows a remote attacker to traverse directories on the system by sending a specially-crafted URL request containing dot dot sequences (/../) to view arbitrary xml files. This occurs when application security is disabled and JAX-RPC applications are present. Enabling application security prevents this issue.

Recommendations For IBM WebSphere Application Server versions 7.0 through 9.0, enable application security to prevent directory traversal attacks. As a temporary workaround, consider disabling JAX-RPC applications until a patch is available. Restrict access to arbitrary xml files to minimize the risk of exploitation.