IBMFA332152AD7A5A9209FA27F339C4DBB91CE19F57EA678F69635CC1EDEC062B39Security Bulletin: Session Identifier Not Updated vulnerability in GDS component of IBM InfoSphere Master Data Management - Collaborative Edition (CVE-2014-3009)
EPSS
Percentile
29.8%
Summary
IBM InfoSphere Master Data Management - Collaborative Edition does not update the session identifier after a successful authentication. An attacker could exploit this vulnerability to gain unauthorized access to the application by acting as the session created by a regular user.
Vulnerability Details
Description:
IBM InfoSphere Master Data Management - Collaborative Edition is vulnerable to session hijacking through cookie path manipulation. As result, user impersonation may be possible.
CVE ID: CVE-2014-3009
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92952 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Affected Products and Versions
IBM InfoSphere Master Data Management - Collaborative Edition Versions 11.3, 11.0, 10.1 and 10.0 – GDS component only.
IBM InfoSphere Master Data Management Server for Product Information Management Versions 9.1 and 9.0 – GDS component only.
Remediation/Fixes
If you are using the GDS component, the recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
| Product | VRMF | APAR | Remediation/First Fix |
|---|---|---|---|
| IBM InfoSphere Master Data Management - Collaborative Edition | 11.0 | None | 11.0-FP5 |
| IBM InfoSphere Master Data Management - Collaborative Edition |
10.1/10.0
| None| Contact IBM Customer Support
IBM InfoSphere Master Data Management Server for Product Information Management| 11.3| None| 11.3-IF002
IBM InfoSphere Master Data Management Server for Product Information Management| 9.1/9.0| None| Contact IBM Customer Support
Workarounds and Mitigations
None known
Related
EPSS
Percentile
29.8%