WebSphere Application Server could allow a remote attacker to bypass security restrictions. Web-based applications, including Web services applications running on WebSphere Application Server, could disclose application specific files contained within the war file, including files under the web-inf and meta-inf directories. An attacker could exploit this vulnerability to view or execute files on the server contained within the war file. This vulnerability also affects the WebSphere administrative console when administrative security is disabled.
Upgrade to the latest version of WebSphere or apply the PK81387 security fix.