CVE-2019-4686

Name of the Vulnerable Software and Affected Versions IBM Security Guardium Data Encryption (GDE) version 3.0.0.2

Description The issue allows attackers to obtain cookie values by sending a http link to a user or by planting this link in a site the user visits. The cookie will be sent to the insecure link, and the attacker can then obtain the cookie value by snooping the traffic. This is possible because the secure attribute is not set on authorization tokens or session cookies.

Recommendations For version 3.0.0.2, consider setting the secure attribute on authorization tokens or session cookies to prevent them from being sent over insecure links. As a temporary workaround, restrict access to sensitive information that may be accessed using the cookie values until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.