CVE-2024-28771

Name of the Vulnerable Software and Affected Versions IBM Security Directory Integrator version 7.2.0 IBM Security Verify Directory Integrator version 10.0.0

Description The issue is related to the absence of the secure attribute in session cookies, which may allow attackers to obtain cookie values by sending a http link to a user or by planting this link in a site the user visits. The cookie will be sent to the insecure link, and the attacker can then obtain the cookie value by snooping the traffic. This may enable remote attackers to gain unauthorized access to protected information.

Recommendations For IBM Security Directory Integrator version 7.2.0, consider setting the secure attribute on authorization tokens or session cookies to prevent them from being sent over insecure links. For IBM Security Verify Directory Integrator version 10.0.0, consider setting the secure attribute on authorization tokens or session cookies to prevent them from being sent over insecure links. As a temporary workaround, consider restricting access to sensitive information until the issue is resolved.