Insecure Cookie Handling in IBM Security Directory Server
CVE-2019-4563

3.7LOW

Key Information:

Vendor: IBM
Status: Security Directory Server
Vendor: CVE Published:; 29 October 2020

Summary

The IBM Security Directory Server 6.4.0 fails to secure authorization tokens and session cookies by not setting the secure attribute. This oversight allows attackers to potentially intercept cookie values through crafted links. When a user clicks on an insecure link, their cookies may be sent without encryption, exposing sensitive session data to attackers who can then snoop on the traffic and exploit the information.

Affected Version(s)

Security Directory Server 6.4.0

References

https://www.ibm.com/support/pages/node/6356607

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/166624

vdb-entryx_refsource_XF

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 29, 2020
Vulnerability Reserved
Jan 3, 2019