IBM Cloud Automation Manager does not set the secure attribute on authorization tokens or session cookies.
CVEID:CVE-2019-4616
**DESCRIPTION:**IBM Cloud Automation Manager does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168644 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Cloud Automation Manager | 3.2.1.0 |
Upgrade to IBM Cloud Automation Manager 3.2.1.2 or newer.
None