IBM Security Directory Integrator and IBM Security Verify Directory Integrator Session Cookie Security Vulnerability

A vulnerability exists in IBM Security Directory Integrator versions 7.2.0 and 10.0.0 that stems from the absence of the secure attribute on authorization tokens and session cookies. This oversight allows attackers to intercept cookie values by sending a link via HTTP to a user or by embedding such a link on a site the user visits. The cookies would be transmitted over the insecure link, enabling the attacker to snoop on the traffic and capture the cookie values.

Impact

Exploitation of this vulnerability could lead to the interception of session cookies, allowing attackers to hijack user sessions or access sensitive information contained within the cookies.

Remediation

Users are advised to update to IBM Security Directory Integrator 10.0.0 or IBM Security Directory Integrator 7.2.0. Instructions for downloading these versions are available on the IBM Support Fix Central website.