First published: Fri Jun 21 2013(Updated: )
The Browser in IBM Sterling Connect:Direct 1.4 before 1.4.0.11 and 1.5 through 1.5.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
Credit: psirt@us.ibm.com
Affected Software | Affected Version | How to fix |
---|---|---|
IBM Sterling Connect:Direct | =1.4.0.0 | |
IBM Sterling Connect:Direct | =1.4.0.2 | |
IBM Sterling Connect:Direct | =1.4.0.3 | |
IBM Sterling Connect:Direct | =1.4.0.6 | |
IBM Sterling Connect:Direct | =1.4.0.7 | |
IBM Sterling Connect:Direct | =1.4.0.10 | |
IBM Sterling Connect:Direct | =1.5.0.0 | |
IBM Sterling Connect:Direct | =1.5.0.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2013-0529 is classified as a medium severity vulnerability due to the potential for session cookie interception.
To fix CVE-2013-0529, ensure that the session cookie has the secure flag set in HTTPS sessions.
CVE-2013-0529 affects IBM Sterling Connect:Direct versions 1.4.0.0 through 1.4.0.10 and 1.5.0.0 through 1.5.0.1.
Yes, CVE-2013-0529 can lead to data exposure as attackers may intercept session cookies during transmission.
A possible workaround for CVE-2013-0529 is to limit the use of HTTP for sensitive transactions until the secure flag issue is resolved.