CVE-2019-4439
Description
IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system. IBM X-Force ID: 162949.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM Cloud Private 3.1.0-3.1.2 fails to invalidate sessions after logout, allowing a local attacker to impersonate another user.
Vulnerability
IBM Cloud Private versions 3.1.0, 3.1.1, and 3.1.2 do not properly invalidate user sessions upon logout [1]. This flaw resides in the authentication identity provider (auth-idp) component. The session token remains valid after the user explicitly logs out, allowing reuse of the same session.
Exploitation
An attacker with local access to the system, requiring no authentication or user interaction, can exploit this by capturing or reusing a session token that was not invalidated after the legitimate user logged out [1]. The CVSS vector indicates a local attack vector with low complexity and no privileges required.
Impact
Successful exploitation allows the attacker to impersonate the logged-out user, gaining the same level of access within IBM Cloud Private. This leads to low confidentiality, integrity, and availability impacts as per CVSS 3.0 score of 5.9 [1].
Mitigation
IBM released patches for versions 3.1.1 and 3.1.2 via the auth-idp fix. For version 3.1.0, users must upgrade to IBM Cloud Private 3.2 or later [1]. No workaround is documented; applying the patch or upgrade is required.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 3.1.0, 3.1.1, 3.1.2
- IBM/Cloud Privatev5Range: 3.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- exchange.xforce.ibmcloud.com/vulnerabilities/162949mitrevdb-entryx_refsource_XF
- www.ibm.com/support/docview.wssmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.