Session Fixation in IBM Security Identity Governance and Intelligence (IGI) - CVE-2017-1368
Published: August 6, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU36789
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-1368
CWE-ID: CWE-384
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: IBM Corporation
Affected software:
IBM Security Identity Governance and Intelligence (IGI)
IBM Security Identity Governance and Intelligence (IGI)
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 126861.
How to mitigate CVE-2017-1368
Install update from vendor's website.