Missing Encryption of Sensitive Data in IBM Cloud Automation Manager - CVE-2019-4616
Published: June 13, 2023
Vulnerability identifier: #VU77187
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-4616
CWE-ID: CWE-311
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
IBM Cloud Automation Manager
IBM Cloud Automation Manager
Software vendor:
IBM Corporation
IBM Corporation
Description
The vulnerability allows an adjacent attacker to gain access to potentially sensitive information.
The vulnerability exists due to IBM Cloud Automation Manager does not set the secure attribute on authorization tokens or session cookies. An adjacent attacker can get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to.
Remediation
Install updates from vendor's website.