IBME5BB72B7FB4101B30C86C8EDA5E435A14BB9914E58059FE434EC7AF02008556ASecurity Bulletin: Overly Permissive CORS Policy vulnerability found on IBM Security Secret Server (CVE-2019-4633)
EPSS
Percentile
29.8%
Summary
This security bulletin describes plugging some potential, minor yet significant, information leaks by the IBM Security Secret Server. IBM Security Secret Server has an overly permissive CORS policy for login.
Vulnerability Details
CVEID:CVE-2019-4633
**DESCRIPTION:**IBM Security Secret Server could allow an attacker to obtain sensitive information due to an overly permissive CORS policy.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170007 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Security Secret Server | All |
Remediation/Fixes
- At the SecretServer installation folder, in the web-appsettings.configfile under appSettings add:
_ <add key=“UseWebConfigCORS” value=“true”></add>_
- At the SecretServer installation folder, in the web.config file under system.webServer/httpProtocol/customHeaders add:
_ <add name=“Access-Control-Allow-Origin” value=“[customer URL here]” />_
_ <add name=“Access-Control-Allow-Headers” value=“Content-Type” />_
_ <add name=“Access-Control-Allow-Methods” value=“GET, POST, PUT, DELETE, OPTIONS” />_
Workarounds and Mitigations
None
Related
EPSS
Percentile
29.8%