IBM29578FA0932B7E8A7667A8F79374DC9D5752643552A9ABF23676F2B6740566CFSecurity Bulletin: Session cookie is missing secure attribute and affects IBM Publishing Engine
EPSS
Percentile
29.7%
Summary
There is a vulnerability in the session cookie which misses a secure attribute and affects IBM Publishing Engine
Vulnerability Details
CVEID:CVE-2020-4316
**DESCRIPTION:**IBM Publishing Engine does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177354 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Rational Publishing Engine | 6.0.6.1 |
| IBM Rational Publishing Engine | 6.0.6 |
| PUB | 7.0 |
Remediation/Fixes
For IBM Engineering Lifecycle Optimization - Publishing 6.0.2 - 7.0, a fix is available by upgrading to
7.0 iFix003 or latest
IBM Engineering Lifecycle Optimization - Publishing iFix003
6.0.6.1 iFix011 or latest
Rational Publishing Engine 6.0.6.1 iFix011
6.0.6 iFix017 or latest
Rational Publishing Engine 6.0.6 iFix017
For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
If the iFix is not found in the iFix Portal please contact IBM support.
Workarounds and Mitigations
None
Related
EPSS
Percentile
29.7%