This security bulletin describes plugging some potential, minor yet significant, information leaks by the IBM Security Secret Server. IBM Security Secret Server has an overly permissive CORS policy for login.
CVEID:CVE-2019-4633
**DESCRIPTION:**IBM Security Secret Server could allow an attacker to obtain sensitive information due to an overly permissive CORS policy.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170007 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Security Secret Server | All |
_ <add key=“UseWebConfigCORS” value=“true”></add>_
_ <add name=“Access-Control-Allow-Origin” value=“[customer URL here]” />_
_ <add name=“Access-Control-Allow-Headers” value=“Content-Type” />_
_ <add name=“Access-Control-Allow-Methods” value=“GET, POST, PUT, DELETE, OPTIONS” />_
None