Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in IBM Security Identity Governance and Intelligence (IGI) - CVE-2020-4233
Published: May 29, 2020
Vulnerability identifier: #VU28365
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-4233
CWE-ID:
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
IBM Security Identity Governance and Intelligence (IGI)
IBM Security Identity Governance and Intelligence (IGI)
Software vendor:
IBM Corporation
IBM Corporation
Description
The vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to the application fails to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information.
Remediation
Install updates from vendor's website.