Missing Encryption of Sensitive Data in IBM Cloud Automation Manager - CVE-2019-4616

 

Missing Encryption of Sensitive Data in IBM Cloud Automation Manager - CVE-2019-4616

Published: June 13, 2023


Vulnerability identifier: #VU77187
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-4616
CWE-ID: CWE-311
Exploitation vector: Adjecent network
Exploit availability: No public exploit available
Vendor: IBM Corporation
Affected software:
IBM Cloud Automation Manager

Detailed vulnerability description

The vulnerability allows an adjacent attacker to gain access to potentially sensitive information.

The vulnerability exists due to IBM Cloud Automation Manager does not set the secure attribute on authorization tokens or session cookies. An adjacent attacker can get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to.


How to mitigate CVE-2019-4616

Install updates from vendor's website.

Sources