CVE-2018-1948

Name of the Vulnerable Software and Affected Versions IBM Security Identity Governance and Intelligence versions 5.2 through 5.2.4.1 Virtual Appliance

Description The issue allows attackers to obtain cookie values by sending a http link to a user or by planting this link in a site the user visits. This is possible because the secure attribute is not set on authorization tokens or session cookies. As a result, the cookie will be sent to the insecure link, and the attacker can then obtain the cookie value by snooping the traffic.

Recommendations For IBM Security Identity Governance and Intelligence versions 5.2 through 5.2.4.1 Virtual Appliance, consider setting the secure attribute on authorization tokens or session cookies to prevent them from being sent over insecure links. As a temporary workaround, restrict access to sensitive resources that use these cookies to minimize the risk of exploitation.