← back
CVE-2022-33167

IBM Security Directory Integrator information disclosure

CVSS 3.7 LOWEPSS 0.4%CWE-1004
In short

IBM Security Directory Integrator fails to protect cookies with the HTTPOnly flag, allowing attackers to potentially steal sensitive information from cookies through client-side attacks.

Technical detail

The application does not set the HTTPOnly flag on cookies, enabling attackers to access cookie data via JavaScript or other client-side vectors. This affects IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0, potentially exposing authentication tokens or session identifiers.

Summary generated and translated by AI from the official description.
IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 228587.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
IBM · Security Directory IntegratorIBM · Security Verify Directory Integrator

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://exchange.xforce.ibmcloud.com/vulnerabilities/228587https://www.ibm.com/support/pages/node/7161469