There is a vulnerability in the session cookie which misses a secure attribute and affects IBM Publishing Engine
CVEID:CVE-2020-4316
**DESCRIPTION:**IBM Publishing Engine does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177354 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Rational Publishing Engine | 6.0.6.1 |
IBM Rational Publishing Engine | 6.0.6 |
PUB | 7.0 |
For IBM Engineering Lifecycle Optimization - Publishing 6.0.2 - 7.0, a fix is available by upgrading to
7.0 iFix003 or latest
IBM Engineering Lifecycle Optimization - Publishing iFix003
6.0.6.1 iFix011 or latest
Rational Publishing Engine 6.0.6.1 iFix011
6.0.6 iFix017 or latest
Rational Publishing Engine 6.0.6 iFix017
For any prior versions of the products listed above, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
If the iFix is not found in the iFix Portal please contact IBM support.
None