Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM21FD14295AD7CEF7BD3BE20B1284588AF1522F49536CDE5B582F0D3EFE128DA8
HistoryJul 24, 2024 - 3:42 p.m.

Security Bulletin: Security Vulnerability fixed in IBM Security Directory Integrator (CVE-2024-28771, CVE-2024-28770, CVE-2024-28766)

2024-07-2415:42:09
www.ibm.com
5
ibm security directory integrator
vulnerable
cve-2024-28771
cve-2024-28770
cve-2024-28766
authorization tokens
session cookies
disclosure
software update

AI Score

6.2

Confidence

Low

JSON

Summary

Multiple Security Vulnerabilities were fixed in the IBM Security Directory Integrator product.

Vulnerability Details

CVEID:CVE-2024-28771
**DESCRIPTION:**IBM Security Directory Integrator does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285630 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-28770
**DESCRIPTION:**IBM Security Directory Integrator does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285629 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-28766
**DESCRIPTION:**IBM Security Directory Integrator could disclose sensitive information about directory contents that could aid in further attacks against the system.
CVSS Base score: 2.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285625 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Directory Integrator 7.2.0
IBM Security Verify Directory Integrator 10.0.0

Remediation/Fixes

IBM Strongly recommends that customers update to the latest versions of software.

IBM Security Directory Integrator 10.0.0 Container images can be found in the documentation here.

https://www.ibm.com/docs/en/svdi/10.0.0?topic=containers-images

Principal Product and Versions

|

Fix Availability

—|—

IBM Security Director Integrator 7.2.0

|

7.2.0-ISS-SDI-FP0013

IBM Security Verify Directory Integrator 10.0.0

|

ibm-svdi-10.0.0.2

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmsecurity_directory_integratorMatch7.2.0
OR
ibmsecurity_directory_integratorMatch10.0.0
VendorProductVersionCPE
ibmsecurity_directory_integrator7.2.0cpe:2.3:a:ibm:security_directory_integrator:7.2.0:*:*:*:*:*:*:*
ibmsecurity_directory_integrator10.0.0cpe:2.3:a:ibm:security_directory_integrator:10.0.0:*:*:*:*:*:*:*

AI Score

6.2

Confidence

Low

JSON