Session Fixation Vulnerability in IBM MQ Appliance
CVE-2021-38986

5.6MEDIUM

Key Information:

Vendor: IBM
Status: MQ Appliance
Vendor: CVE Published:; 1 March 2022

What is CVE-2021-38986?

The IBM MQ Appliance version 9.2 CD and 9.2 LTS contains a session fixation vulnerability that fails to invalidate a user's session after logout. This design flaw can potentially allow an authenticated user to preserve their session and impersonate another user within the system, leading to unauthorized access to sensitive information and actions. Organizations utilizing these versions should take immediate action to mitigate the risk associated with user impersonation.

Affected Version(s)

MQ Appliance 9.2 LTS

MQ Appliance 9.2 CD

References

https://www.ibm.com/support/pages/node/6560032

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/212942

vdb-entryx_refsource_XF

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 1, 2022
Vulnerability Reserved
Aug 16, 2021