IBM0071B0CB2EE38E116EAB10B9A157BAB6D416E354718655A0247E42BBBDE18FE8Security Bulletin: Overly Permissive CORS Policy vulnerability found on IBM Security Secret Server (CVE-2019-4633)
EPSS
Percentile
29.8%
Summary
This security bulletin describes plugging some potential, minor yet significant, information leaks by the IBM Security Secret Server.
IBM Security Secret Server has an overly permissive CORS policy for login.
Vulnerability Details
CVEID:CVE-2019-4633
**DESCRIPTION:**IBM Security Secret Server could allow an attacker to obtain sensitive information due to an overly permissive CORS policy.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170007 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM Security Secret Server, All Versions
Remediation/Fixes
- At the SecretServer installation folder, in the web-appsettings.configfile under appSettings add:
_ <add key=“UseWebConfigCORS” value=“true”></add>_
- At the SecretServer installation folder, in the web.config file under system.webServer/httpProtocol/customHeaders add:
_ <add name=“Access-Control-Allow-Origin” value=“[customer URL here]” />_
_ <add name=“Access-Control-Allow-Headers” value=“Content-Type” />_
_ <add name=“Access-Control-Allow-Methods” value=“GET, POST, PUT, DELETE, OPTIONS” />_
> ## Workarounds and Mitigations
None
Related
EPSS
Percentile
29.8%