IBM CICS TX information disclosure
CVE-2023-33847

3.1LOW

Key Information:

Vendor
IBM
Status
TXSeries for Multiplatforms
CICS TX Standard
CICS TX Advanced
Vendor
CVE Published:
8 June 2023

Summary

IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, CICS TX Advanced 10.1, and 11.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 257102.

Affected Version(s)

CICS TX Advanced 10.1, 11.1

CICS TX Standard 11.1

TXSeries for Multiplatforms 8.1, 8.2, 9.1

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/257102
vdb-entry
https://www.ibm.com/support/pages/node/7001645
vendor-advisory
https://www.ibm.com/support/pages/node/7001641
vendor-advisory

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.