Vulnerability-Lookup

CNVD-2019-38294

Vulnerability from cnvd - Published: 2019-10-31

Title

IBM Security Guardium Big Data Intelligence信息泄露漏洞（CNVD-2019-38294）

Description

IBM Security Guardium Big Data Intelligence（SonarG）是美国IBM公司的一套大数据安全智能解决方案。该方案具有交互式数据探索、自动连接分析和用户活动分析等特点。 IBM Security Guardium Big Data Intelligence (SonarG) 4.0版本中存在信息泄露漏洞，该漏洞源于程序未能为HTTPS会话中的cookies设置Secure属性，造成用户代理通过HTTP会话发送明文形式的cookies，攻击者可利用该漏洞获取敏感信息。

Severity

中

Patch Name

IBM Security Guardium Big Data Intelligence信息泄露漏洞（CNVD-2019-38294）的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.ibm.com/support/pages/node/1096384

Reference

https://www.ibm.com/support/pages/node/1096384

Impacted products

Name
IBM IBM Security Guardium Big Data Intelligence 4.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-4330"
    }
  },
  "description": "IBM Security Guardium Big Data Intelligence\uff08SonarG\uff09\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u5927\u6570\u636e\u5b89\u5168\u667a\u80fd\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u5177\u6709\u4ea4\u4e92\u5f0f\u6570\u636e\u63a2\u7d22\u3001\u81ea\u52a8\u8fde\u63a5\u5206\u6790\u548c\u7528\u6237\u6d3b\u52a8\u5206\u6790\u7b49\u7279\u70b9\u3002\n\nIBM Security Guardium Big Data Intelligence (SonarG) 4.0\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u4e3aHTTPS\u4f1a\u8bdd\u4e2d\u7684cookies\u8bbe\u7f6eSecure\u5c5e\u6027\uff0c\u9020\u6210\u7528\u6237\u4ee3\u7406\u901a\u8fc7HTTP\u4f1a\u8bdd\u53d1\u9001\u660e\u6587\u5f62\u5f0f\u7684cookies\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.ibm.com/support/pages/node/1096384",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-38294",
  "openTime": "2019-10-31",
  "patchDescription": "IBM Security Guardium Big Data Intelligence\uff08SonarG\uff09\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u5927\u6570\u636e\u5b89\u5168\u667a\u80fd\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u65b9\u6848\u5177\u6709\u4ea4\u4e92\u5f0f\u6570\u636e\u63a2\u7d22\u3001\u81ea\u52a8\u8fde\u63a5\u5206\u6790\u548c\u7528\u6237\u6d3b\u52a8\u5206\u6790\u7b49\u7279\u70b9\u3002\r\n\r\nIBM Security Guardium Big Data Intelligence (SonarG) 4.0\u7248\u672c\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u4e3aHTTPS\u4f1a\u8bdd\u4e2d\u7684cookies\u8bbe\u7f6eSecure\u5c5e\u6027\uff0c\u9020\u6210\u7528\u6237\u4ee3\u7406\u901a\u8fc7HTTP\u4f1a\u8bdd\u53d1\u9001\u660e\u6587\u5f62\u5f0f\u7684cookies\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Security Guardium Big Data Intelligence\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2019-38294\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "IBM IBM Security Guardium Big Data Intelligence 4.0"
  },
  "referenceLink": "https://www.ibm.com/support/pages/node/1096384",
  "serverity": "\u4e2d",
  "submitTime": "2019-10-25",
  "title": "IBM Security Guardium Big Data Intelligence\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2019-38294\uff09"
}

CVE-2019-4330 (GCVE-0-2019-4330)

Vulnerability from cvelistv5 – Published: 2019-10-28 23:36 – Updated: 2024-09-16 20:37

Summary

IBM Security Guardium Big Data Intelligence (SonarG) 4.0 does not set the secure attribute for cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session. IBM X-Force ID: 161210.

Severity

3.1 (Low)


                        
                          CVSS:3.0/PR:N/I:N/AC:H/S:U/A:N/AV:N/C:L/UI:R/RL:O/RC:C/E:U

CWE

Obtain Information

Assigner

ibm

References

2 references

URL	Tags
https://www.ibm.com/support/pages/node/1096384	x_refsource_CONFIRM
https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF

Impacted products

1 product

Vendor	Product	Version
IBM	Security Guardium Big Data Intelligence	Affected: 4

Date Public

2019-10-22 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:33:38.160Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/pages/node/1096384"
          },
          {
            "name": "ibm-guardium-cve20194330-info-disc (161210)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161210"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Security Guardium Big Data Intelligence",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "4"
            }
          ]
        }
      ],
      "datePublic": "2019-10-22T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Security Guardium Big Data Intelligence (SonarG) 4.0 does not set the secure attribute for cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session. IBM X-Force ID: 161210."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 2.7,
            "temporalSeverity": "LOW",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/PR:N/I:N/AC:H/S:U/A:N/AV:N/C:L/UI:R/RL:O/RC:C/E:U",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Obtain Information",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-28T23:36:10.000Z",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ibm.com/support/pages/node/1096384"
        },
        {
          "name": "ibm-guardium-cve20194330-info-disc (161210)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161210"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "DATE_PUBLIC": "2019-10-22T00:00:00",
          "ID": "CVE-2019-4330",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Security Guardium Big Data Intelligence",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "4"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IBM"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Security Guardium Big Data Intelligence (SonarG) 4.0 does not set the secure attribute for cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session. IBM X-Force ID: 161210."
            }
          ]
        },
        "impact": {
          "cvssv3": {
            "BM": {
              "A": "N",
              "AC": "H",
              "AV": "N",
              "C": "L",
              "I": "N",
              "PR": "N",
              "S": "U",
              "UI": "R"
            },
            "TM": {
              "E": "U",
              "RC": "C",
              "RL": "O"
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Obtain Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ibm.com/support/pages/node/1096384",
              "refsource": "CONFIRM",
              "title": "IBM Security Bulletin 1096384 (Security Guardium Big Data Intelligence)",
              "url": "https://www.ibm.com/support/pages/node/1096384"
            },
            {
              "name": "ibm-guardium-cve20194330-info-disc (161210)",
              "refsource": "XF",
              "title": "X-Force Vulnerability Report",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/161210"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2019-4330",
    "datePublished": "2019-10-28T23:36:10.730Z",
    "dateReserved": "2019-01-03T00:00:00.000Z",
    "dateUpdated": "2024-09-16T20:37:40.736Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2019-38294

CVE-2019-4330 (GCVE-0-2019-4330)

Tags

Sightings

Nomenclature