Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in IBM Security Identity Governance and Intelligence (IGI) - CVE-2020-4233

 

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in IBM Security Identity Governance and Intelligence (IGI) - CVE-2020-4233

Published: May 29, 2020


Vulnerability identifier: #VU28365
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-4233
CWE-ID:
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: IBM Corporation
Affected software:
IBM Security Identity Governance and Intelligence (IGI)

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to the application fails to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information.


How to mitigate CVE-2020-4233

Install updates from vendor's website.

Sources