Unrated severityNVD Advisory· Published Jul 7, 2021· Updated Sep 16, 2024

CVE-2021-20378

Description

IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 195709.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM Guardium Data Encryption (GDE) 3.0.0.2 and 4.0.0.4 fails to invalidate sessions after logout, allowing an authenticated user to impersonate another user.

Vulnerability

IBM Guardium Data Encryption (GDE) versions 3.0.0.2 and 4.0.0.4 do not properly invalidate a user's session upon logout [1]. This session management flaw allows a previously authenticated session to remain valid after the user explicitly signs out, enabling session reuse.

Exploitation

An attacker must first be an authenticated user on the system. After a legitimate user performs a logout, the attacker who has access to the same system or network can reuse the stale session token to impersonate the original user [1]. No additional privileges are required beyond authenticated access.

Impact

A successful attack allows the attacker to impersonate another authenticated user, gaining the same level of access and privileges as that user. This could lead to unauthorized information disclosure, data modification, or other malicious actions with the victim's permissions [1].

Mitigation

IBM released GDE version 4.0.0.5 which fixes this vulnerability [1]. Users should upgrade to 4.0.0.5 or later. No workaround is documented; applying the fix is the recommended mitigation. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.

References

Security Bulletin: There are multiple vulnerabilities identified in IBM Guardium Data Encryption (GDE) (CVE-2021-20378, CVE-2021-20416, CVE-2021-20474, CVE-2021-20379)

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

IBM/Guardium Data Encryptionllm-fuzzy
Range: 3.0.0.2, 4.0.0.4
IBM/Guardium Data Encryptionv5
Range: 3.0.0.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

exchange.xforce.ibmcloud.com/vulnerabilities/195709mitrevdb-entryx_refsource_XF
www.ibm.com/support/pages/node/6469407mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000