CVE-2023-38363

Name of the Vulnerable Software and Affected Versions IBM CICS TX Advanced version 10.1

Description The issue arises because IBM CICS TX Advanced does not set the secure attribute on authorization tokens or session cookies. This allows attackers to potentially obtain cookie values by sending a user a http:// link or by embedding such a link in a website the user visits. Once the user clicks the link, the cookie is sent to the insecure link, and the attacker can then intercept the cookie value by monitoring the traffic.

Recommendations For IBM CICS TX Advanced version 10.1, set the secure attribute on authorization tokens and session cookies to prevent them from being sent over insecure connections. As a temporary workaround, consider restricting access to sensitive operations that rely on these cookies until the secure attribute is properly set. At the moment, there is no information about a newer version that contains a fix for this vulnerability.