Volerion logoVolerion
Volerion logoVolerion

IBM Sterling Partner Engagement Manager JWT Secret Exposure Vulnerability

Vulnerability

A vulnerability exists in IBM Sterling Partner Engagement Manager versions 6.1.0, 6.2.0, and 6.2.2, where the JSON Web Token (JWT) secret is publicly stored in Helm Charts instead of being secured as a Kubernetes secret. This flaw can lead to unauthorized access or manipulation of JWTs, potentially allowing for session hijacking or other security breaches.

Impact

The vulnerability allows for the exposure of sensitive JWT secrets, which could be exploited to manipulate or forge JWTs, leading to unauthorized access or actions within the application.

Remediation

Users can upgrade to the latest version of the IBM Sterling Partner Engagement Manager Helm Chart, where this issue has been addressed. Guidance on downloading the updated Helm Charts is available in the IBM Sterling Partner Engagement Manager documentation. Additionally, users should provide a valid, non-empty JWT secret key during deployment to ensure secure configurations.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
1.4
impact
2.5
exploitability
7.0
remediation
8.3
relevance
0.0
threat
0.0
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.