CVE-2020-4527

Vulnerability

IBM Planning Analytics 2.0 (specifically the Planning Analytics Workspace component) does not set the Secure flag on the session cookie when operating in TLS mode [1]. This misconfiguration means the cookie can be transmitted over unencrypted HTTP connections, even though the server supports HTTPS. The affected versions are those prior to IBM Planning Analytics Local v2.0 – Planning Analytics Workspace Release 54 [1].

Exploitation

An attacker must be in a position to intercept network traffic between the victim and the server (e.g., via a man-in-the-middle attack on an insecure network) [1]. If the victim initiates an HTTP session (or if the server redirects from HTTPS to HTTP under certain conditions), the session cookie without the Secure flag can be captured in plaintext. No authentication or user interaction beyond normal browsing is required [1].

Impact

Successful exploitation allows the attacker to capture the session cookie, leading to unauthorized access to the victim's session [1]. This can result in disclosure of sensitive information that the authenticated user can access, such as planning data, credentials, or other confidential content. The CVSS vector (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates a high confidentiality impact, with no integrity or availability impact [1].

Mitigation

IBM has fixed this vulnerability in IBM Planning Analytics Local v2.0 – Planning Analytics Workspace Release 54 [1]. Organizations should upgrade to this or a later release. As a workaround, administrators can enforce HTTPS-only connections and ensure that application servers are configured to set the Secure flag on all cookies. No KEV listing has been published for this CVE.