The product is missing the HTTP Strict Transport Security header. Users can navigate by mistake to the unencrypted version of the web application or accept invalid certificates. This leads to sensitive data being sent unencrypted over the wire.
CVEID: CVE-2016-9972**
DESCRIPTION:** IBM QRadar could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/120208 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
ยท IBM QRadar SIEM 7.2.0 โ 7.2.8 Patch 6
ยท IBM QRadar SIEM 7.3.0 โ 7.3.0 Patch 1
ยท IBM QRadar/QRM/QVM/QRIF 7.2.8 Patch 7
ยท IBM QRadar/QRM/QVM/QRIF/QNI 7.3.0 Patch 2
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm security qradar siem | eq | 7.2 | |
ibm security qradar siem | eq | 7.3 |