CVE-2019-4563

Name of the Vulnerable Software and Affected Versions IBM Security Directory Server version 6.4.0

Description The issue allows attackers to obtain cookie values by sending a user to an insecure link or by planting such a link in a site the user visits. This can be done because the secure attribute is not set on authorization tokens or session cookies. As a result, the cookie will be sent to the insecure link, and the attacker can then obtain the cookie value by snooping the traffic.

Recommendations For IBM Security Directory Server version 6.4.0, consider setting the secure attribute on authorization tokens or session cookies to prevent them from being sent over insecure connections. As a temporary workaround, restrict access to sensitive operations that rely on these cookies until a proper fix is applied.