Missing encryption of sensitive data in IBM Cloud Automation Manager
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-4616 |
| CWE-ID | CWE-311 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
IBM Cloud Automation Manager Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Missing Encryption of Sensitive Data
EUVDB-ID: #VU77187
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-4616
CWE-ID:
CWE-311 - Missing Encryption of Sensitive Data
Exploit availability: No
DescriptionThe vulnerability allows an adjacent attacker to gain access to potentially sensitive information.
The vulnerability exists due to IBM Cloud Automation Manager does not set the secure attribute on authorization tokens or session cookies. An adjacent attacker can get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Automation Manager: 3.2.1.0
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/1289188
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
