IBM Security Guardium 10.0 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker. IBM X-Force ID: 124745.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Security_guardium | Ibm | 10.0 (including) | 10.0 (including) |
| Security_guardium | Ibm | 10.0.1 (including) | 10.0.1 (including) |
| Security_guardium | Ibm | 10.1.0 (including) | 10.1.0 (including) |
| Security_guardium | Ibm | 10.1.2 (including) | 10.1.2 (including) |
| Security_guardium | Ibm | 10.1.3 (including) | 10.1.3 (including) |
Such a scenario is commonly observed when: