#VU77187 Missing Encryption of Sensitive Data in IBM Cloud Automation Manager - CVE-2019-4616

Cybersecurity Help s.r.o.

Published: 2023-06-13

Vulnerability identifier: #VU77187

Vulnerability risk: Low

CVSSv4.0: 1.1 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-4616

CWE-ID: CWE-311

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
IBM Cloud Automation Manager
Server applications / Other server solutions

Vendor: IBM Corporation

Description

The vulnerability allows an adjacent attacker to gain access to potentially sensitive information.

The vulnerability exists due to IBM Cloud Automation Manager does not set the secure attribute on authorization tokens or session cookies. An adjacent attacker can get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM Cloud Automation Manager: 3.2.1.0

External links
https://exchange.xforce.ibmcloud.com/vulnerabilities/168644
https://www.ibm.com/support/pages/node/1289188

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Missing encryption of sensitive data in IBM Cloud Automation Manager