Session Fixation Vulnerability in IBM Security Access Manager
CVE-2019-4152

5.1MEDIUM

Key Information:

Vendor
IBM
Vendor
CVE Published:
25 June 2019

Summary

IBM Security Access Manager versions 9.0.1 to 9.0.6 suffer from a session fixation vulnerability caused by not invalidating session tokens promptly. This flaw can potentially allow an attacker with local access to exploit a closed browser session, gaining unauthorized access. It emphasizes the need for stringent session management practices to ensure session tokens are efficiently invalidated upon user logout or session expiration.

Affected Version(s)

Security Access Manager 9.0.1

Security Access Manager 9.0.3

Security Access Manager 9.0.4

References

CVSS V3.1

Score:
5.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.