IBM has announced the resolution of several security vulnerabilities affecting its IBM Security Directory Integrator and IBM Security Verify Directory Integrator products.
The vulnerabilities, identified through the Common Vulnerabilities and Exposures (CVE) system, expose users to various risks, including sensitive data disclosure and potential cookie theft.
The company urges customers to update to the latest versions of the software to mitigate these risks.
CVE-2024-28771 and CVE-2024-28770 are vulnerabilities in IBM Security Directory Integrator caused by the failure to set the secure attribute on authorization tokens or session cookies, allowing attackers to intercept cookie values via non-secure HTTP links, with a CVSS base score of 4.8.
CVE-2024-28766, while less severe with a CVSS base score of 2.4, involves unauthorized disclosure of sensitive directory information, potentially aiding attackers in planning further exploits.
The vulnerabilities impact the following products and their respective versions:
IBM has released fixes to address these vulnerabilities. For IBM Security Directory Integrator 7.2.0, users must apply the fix pack version 7.2.0-ISS-SDI-FP0013, while IBM Security Verify Directory Integrator users are advised to upgrade to version 10.0.0.2 of the product.
Containerized versions of IBM Security Verify Directory Integrator 10.0.0 have been updated, and the relevant container images are made available through IBM’s official documentation portal.
IBM strongly recommends that customers update their software to the latest versions without delay.
The company has not provided any workarounds or mitigations, emphasizing the importance of applying the patches.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
Belgium’s State Security Service (VSSE) has suffered what is being described as its most severe…
Hacktivism, once synonymous with symbolic website defacements and distributed denial-of-service (DDoS) attacks, has evolved into…
Multi-factor authentication (MFA), long considered a cornerstone of cybersecurity defense, is facing a formidable new…
A sophisticated cyberespionage campaign linked to Chinese state-sponsored actors has exploited a previously patched Check…
A critical security flaw (CVE-2025-20059) has been identified in supported versions of Ping Identity’s PingAM…
A sophisticated malware campaign leveraging GitHub repositories disguised as game modifications and cracked software has…