CVE-2021-20416

Vulnerability

IBM Guardium Data Encryption (GDE) versions 3.0.0.3 and 4.0.0.4 do not set the HttpOnly flag on cookies used for session management [1]. This misconfiguration allows client-side scripts (e.g., JavaScript) to access cookie contents, exposing sensitive information such as session tokens or authentication credentials [1]. The vulnerability is present in the default configuration of affected releases [1].

Exploitation

An attacker must first be able to execute arbitrary JavaScript in the user's browser, typically through a cross-site scripting (XSS) vulnerability, or have the ability to intercept unencrypted network traffic [1]. No authentication or special network position is required beyond the attacker's ability to inject code or monitor traffic [1]. The attacker retrieves the cookie value by reading document.cookie (via XSS) or capturing it from plaintext HTTP responses [1].

Impact

Successful exploitation allows the attacker to obtain the session cookie, which may be used to impersonate the authenticated user [1]. The confidentiality of session data is compromised; the attacker gains the same privileges as the victim user, potentially accessing sensitive data managed by GDE [1].

Mitigation

The fix is included in IBM Guardium Data Encryption (GDE) 4.0.0.5, released on or before July 7, 2021 [1]. Organizations should upgrade to version 4.0.0.5 or later to apply the patch [1]. For versions 3.0.0.3 and earlier, no official workaround is documented, and the product is likely end-of-life [1].