IBM Security Identity Manager Virtual Appliance does not invalidate session tokens which could allow an unauthorized user with physical access to the work station to obtain sensitive information.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Security_identity_manager_virtual_appliance | Ibm | 7.0.0.0 (including) | 7.0.0.0 (including) |
| Security_identity_manager_virtual_appliance | Ibm | 7.0.0.1 (including) | 7.0.0.1 (including) |
| Security_identity_manager_virtual_appliance | Ibm | 7.0.0.2 (including) | 7.0.0.2 (including) |
| Security_identity_manager_virtual_appliance | Ibm | 7.0.0.3 (including) | 7.0.0.3 (including) |
| Security_identity_manager_virtual_appliance | Ibm | 7.0.1.0 (including) | 7.0.1.0 (including) |
| Security_identity_manager_virtual_appliance | Ibm | 7.0.1.1 (including) | 7.0.1.1 (including) |
| Security_identity_manager_virtual_appliance | Ibm | 7.0.1.2 (including) | 7.0.1.2 (including) |
| Security_identity_manager_virtual_appliance | Ibm | 7.0.1.3 (including) | 7.0.1.3 (including) |
| Security_identity_manager_virtual_appliance | Ibm | 7.0.1.4 (including) | 7.0.1.4 (including) |
Such a scenario is commonly observed when: