Session Fixation in IBM Security Identity Governance and Intelligence (IGI)

#VU34122 Session Fixation in IBM Security Identity Governance and Intelligence (IGI)

Published: 2020-08-05 | Updated: 2020-08-08

Vulnerability identifier: #VU34122

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-4243

CWE-ID: CWE-384

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM Security Identity Governance and Intelligence (IGI)
Server applications / Directory software, identity management

Vendor: IBM Corporation

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

IBM Security Identity Governance and Intelligence 5.2.6 Virtual Appliance could allow a remote attacker to obtain sensitive information using man in the middle techniques due to not properly invalidating session tokens. IBM X-Force ID: 175420.

Mitigation
Install update from vendor's website.

Vulnerable software versions

IBM Security Identity Governance and Intelligence (IGI): 5.2.6

External links
http://exchange.xforce.ibmcloud.com/vulnerabilities/175420
http://www.ibm.com/support/pages/node/6255972

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Session Fixation in IBM Security Identity Governance and Intelligence (IGI)