IBM Cloud Pak System
Moderate fix1 remedy
cpe:2.3:a:ibm:cloud_pak_system:*:*:*:*:*:*:*
Moderate fix1 remedy
- 2.3.4.0
- 2.3.4.1
- 2.3.4.1 ifix1
- 2.3.5.0
- 2.3.6.0
IBM Cloud Pak System Session Cookie Vulnerability Lacking Secure Attribute
Vulnerability
Patched
A vulnerability exists in IBM Cloud Pak System versions 2.3.4.0, 2.3.4.1 ifix1, 2.3.5.0, 2.3.6.0, and certain IBM OS Images for Red Hat Linux Systems. The issue arises because the application does not apply the secure attribute to authorization tokens or session cookies. This oversight allows attackers to intercept cookie values by sending a link to a user or embedding it in a site the user visits. The cookies are then sent to the insecure link, where the attacker can snoop on the traffic and obtain the cookie values.
Impact
Exploitation of this vulnerability could lead to the interception of session cookies, allowing attackers to hijack user sessions or access sensitive information within those sessions.
Remediation
Users are advised to upgrade to IBM Cloud Pak System version 2.3.6.1 or later. For unsupported versions, upgrade to a supported version.
Added: Feb 4, 2026, 9:34 PM
Updated: Feb 4, 2026, 9:34 PM
Vulnerability Rating
Custom Algorithm
spread
1.4impact
3.3exploitability
5.4remediation
7.7relevance
2.5threat
0.0urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.