CVE-2017-1368

MEDIUM

IBM Security Identity Governance Virtual Appliance <5.2.3.2 - Open ...

Title source: llm

Description

IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 126861.

References (2)

Core 2

Core References

VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/126861

Patch, Vendor Advisory x_refsource_confirm

http://www.ibm.com/support/docview.wss?uid=swg22016869

Scores

CVSS v3 4.3

EPSS 0.0128

EPSS Percentile 66.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Details

CWE

CWE-384

Status published

Products (7)

ibm/security_identity_governance_and_intelligence 5.2

ibm/security_identity_governance_and_intelligence 5.2.1

ibm/security_identity_governance_and_intelligence 5.2.2

ibm/security_identity_governance_and_intelligence 5.2.2.1

ibm/security_identity_governance_and_intelligence 5.2.3

ibm/security_identity_governance_and_intelligence 5.2.3.1

ibm/security_identity_governance_and_intelligence 5.2.3.2

Published Aug 06, 2018

Tracked Since Feb 18, 2026