4.3
CVE-2021-38977
- EPSS 0.13%
- Published 15.11.2021 16:15:09
- Last modified 21.11.2024 06:18:20
- Source psirt@us.ibm.com
- Teams watchlist Login
- Open Login
IBM Tivoli Key Lifecycle Manager 3.0, 3.0.1, 4.0, and 4.1 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 212782.
Data is provided by the National Vulnerability Database (NVD)
Ibm ≫ Security Guardium Key Lifecycle Manager Version4.1.0
Ibm ≫ Security Guardium Key Lifecycle Manager Version4.1.0.1
Ibm ≫ Security Guardium Key Lifecycle Manager Version4.1.1
Ibm ≫ Security Key Lifecycle Manager Version >= 3.0 <= 3.0.0.4
Ibm ≫ Security Key Lifecycle Manager Version >= 3.0.1 <= 3.0.1.5
Ibm ≫ Security Key Lifecycle Manager Version >= 4.0 <= 4.0.0.3
Ibm ≫ Security Key Lifecycle Manager Version4.1.0
Ibm ≫ Security Key Lifecycle Manager Version4.1.0.1
Ibm ≫ Security Key Lifecycle Manager Version4.1.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.13% | 0.296 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
| psirt@us.ibm.com | 3.1 | 1.6 | 1.4 |
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
|
CWE-311 Missing Encryption of Sensitive Data
The product does not encrypt sensitive or critical information before storage or transmission.