IBM InfoSphere Master Data Management - Collaborative Edition does not update the session identifier after a successful authentication. An attacker could exploit this vulnerability to gain unauthorized access to the application by acting as the session created by a regular user.
Description:
IBM InfoSphere Master Data Management - Collaborative Edition is vulnerable to session hijacking through cookie path manipulation. As result, user impersonation may be possible.
CVE ID: CVE-2014-3009
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92952 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
IBM InfoSphere Master Data Management - Collaborative Edition Versions 11.3, 11.0, 10.1 and 10.0 – GDS component only.
IBM InfoSphere Master Data Management Server for Product Information Management Versions 9.1 and 9.0 – GDS component only.
If you are using the GDS component, the recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
IBM InfoSphere Master Data Management - Collaborative Edition | 11.0 | None | 11.0-FP5 |
IBM InfoSphere Master Data Management - Collaborative Edition |
10.1/10.0
| None| Contact IBM Customer Support
IBM InfoSphere Master Data Management Server for Product Information Management| 11.3| None| 11.3-IF002
IBM InfoSphere Master Data Management Server for Product Information Management| 9.1/9.0| None| Contact IBM Customer Support
None known