CVE-2021-38977

Name of the Vulnerable Software and Affected Versions IBM Tivoli Key Lifecycle Manager versions 3.0 through 4.1

Description The issue arises because IBM Tivoli Key Lifecycle Manager does not set the secure attribute on authorization tokens or session cookies. This allows attackers to potentially obtain cookie values by sending a user a http:// link or by planting this link in a site the user visits. The cookie will be sent to the insecure link, and the attacker can then obtain the cookie value by snooping the traffic.

Recommendations For versions 3.0 through 4.1, consider setting the secure attribute on authorization tokens or session cookies manually to prevent them from being sent over insecure connections. As a temporary workaround, restrict access to sensitive areas of the application that use these cookies to minimize the risk of exploitation.