IBM WebSphere Application Server (WAS) Welcome Page Security Bypass
Remote / Network Access
Loss of Confidentiality
WebSphere Application Server contains a flaw that may lead to unauthorized access. The issue is triggered when a context is secured using a '/*' directive. Direct access to a context's index page using its file name is covered by an authentication process, whereas a request to the directory itself is not covered. This will disclose the index page without authenticatoin, resulting in a loss of confidentiality.
Upgrade to version 18.104.22.168 or higher, as it has been reported to fix this vulnerability. In addition, IBM has released a patch (Fix Pack 3) for some older versions.