IBMD3EB367044998275F2DBC37439B3FE912A1AF72B03BAE9616FF36B6086E79997Security Bulletin: IBM Concert Software is vulnerable to session hijacking (CVE-2024-43180)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
17.7%
Summary
IBM Concert cookie settings are vulnerable to session hijacking.
Vulnerability Details
CVEID:CVE-2024-43180
**DESCRIPTION:**IBM Concert does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/351213 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Concert Software |
1.0
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading …
| Product(s) | Version(s) | Remediation/Fix/Instructions |
|---|---|---|
| IBM Concert Software |
1.0
|
Download and follow installation instructions for IBM Concert Software 1.0.1 from IBM Entitled Registry (ICR)
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | rational_team_concert | 1.0 | cpe:2.3:a:ibm:rational_team_concert:1.0:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
17.7%