First published: Thu Nov 11 2021(Updated: )
IBM Tivoli Key Lifecycle Manager does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Credit: psirt@us.ibm.com
Affected Software | Affected Version | How to fix |
---|---|---|
Ibm Security Key Lifecycle Manager | <=3.0 - 3.0.0.4 | |
Ibm Security Key Lifecycle Manager | <=3.0.1 - 3.0.1.5 | |
Ibm Security Key Lifecycle Manager | <=4.0 - 4.0.0.3 | |
IBM Security Guardium Key Lifecycle Manager | <=4.1.0 - 4.1.0.1 | |
IBM Security Guardium Key Lifecycle Manager | <=4.1.1 | |
IBM Security Guardium Key Lifecycle Manager | =4.1.0 | |
IBM Security Guardium Key Lifecycle Manager | =4.1.0.1 | |
IBM Security Guardium Key Lifecycle Manager | =4.1.1 | |
Ibm Security Key Lifecycle Manager | >=3.0<=3.0.0.4 | |
Ibm Security Key Lifecycle Manager | >=3.0.1<=3.0.1.5 | |
Ibm Security Key Lifecycle Manager | >=4.0<=4.0.0.3 | |
Ibm Security Key Lifecycle Manager | =4.1.0 | |
Ibm Security Key Lifecycle Manager | =4.1.0.1 | |
Ibm Security Key Lifecycle Manager | =4.1.1 | |
IBM AIX | ||
Linux Linux kernel | ||
Microsoft Windows |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this vulnerability is CVE-2021-38977.
The severity of CVE-2021-38977 is medium with a severity value of 4.3.
IBM Tivoli Key Lifecycle Manager versions 3.0, 3.0.1, 4.0, and 4.1 are affected by CVE-2021-38977.
Attackers can exploit CVE-2021-38977 by sending a http:// link to a user or planting the link in a site the user visits, allowing them to obtain the cookie values.
Please refer to IBM's support page (https://www.ibm.com/support/pages/node/6516052) for information on fixes or patches for CVE-2021-38977.