IBM has announced the resolution of several security vulnerabilities affecting its IBM Security Directory Integrator and IBM Security Verify Directory Integrator products.
The vulnerabilities, identified through the Common Vulnerabilities and Exposures (CVE) system, expose users to various risks, including sensitive data disclosure and potential cookie theft.
The company urges customers to update to the latest versions of the software to mitigate these risks.
CVE-2024-28771 and CVE-2024-28770 are vulnerabilities in IBM Security Directory Integrator caused by the failure to set the secure attribute on authorization tokens or session cookies, allowing attackers to intercept cookie values via non-secure HTTP links, with a CVSS base score of 4.8.
CVE-2024-28766, while less severe with a CVSS base score of 2.4, involves unauthorized disclosure of sensitive directory information, potentially aiding attackers in planning further exploits.
The vulnerabilities impact the following products and their respective versions:
IBM has released fixes to address these vulnerabilities. For IBM Security Directory Integrator 7.2.0, users must apply the fix pack version 7.2.0-ISS-SDI-FP0013, while IBM Security Verify Directory Integrator users are advised to upgrade to version 10.0.0.2 of the product.
Containerized versions of IBM Security Verify Directory Integrator 10.0.0 have been updated, and the relevant container images are made available through IBM’s official documentation portal.
IBM strongly recommends that customers update their software to the latest versions without delay.
The company has not provided any workarounds or mitigations, emphasizing the importance of applying the patches.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
Cisco Talos researchers have identified an ongoing cyber campaign, active since mid-2024, deploying a previously…
A groundbreaking technique for exploiting Windows systems has emerged, combining the "Bring Your Own Vulnerable…
Microsoft has taken a significant step toward enhancing cybersecurity by introducing a new phishing attack…
Apple has responded to a newly discovered zero-day vulnerability affecting its operating systems by releasing…
The masterminds behind the revolutionary network analyzer Wireshark have unveiled a new tool, Stratoshark, designed…
In a detailed analysis published on January 27, 2025, Zimperium's zLabs team uncovered a sophisticated…