Unrated severityNVD Advisory· Published May 5, 2022· Updated Sep 17, 2024

CVE-2021-39020

Description

IBM Guardium Data Encryption (GDE) 4.0.0.7 and lower stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 213855.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IBM Guardium Data Encryption (GDE) 4.0.0.7 and lower exposes sensitive data in URL parameters, risking information disclosure via logs or browser history.

Vulnerability

IBM Guardium Data Encryption (GDE) server versions 4.0.0.7 and lower store sensitive information in URL parameters. This vulnerability affects the Vormetric Data Security Manager (DSM) component. The information can be exposed to unauthorized parties who gain access to server logs, referrer headers, or browser history [1].

Exploitation

An attacker must have access to server logs, referrer headers, or browser history where URLs containing sensitive parameters are stored. This requires either direct access to logs, ability to intercept referrer headers, or access to the victim's browser history. The attacker does not need to exploit the application directly; instead, they leverage existing logs or traces of URL data.

Impact

Successful exploitation leads to low confidentiality impact (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N) [1]. The attacker can retrieve sensitive information from URL parameters, potentially exposing data such as authentication tokens or other secrets, but not compromising integrity or availability.

Mitigation

IBM recommends applying the fix available through the Thales portal. Users should upgrade to a version higher than 4.0.0.7. No workarounds are available [1]. The vulnerability is disclosed as part of IBM X-Force Ethical Hacking Team findings.

References

Security Bulletin: IBM Security Guardium Data Encryption has vulnerability ( CVE-2021-39020)

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

IBM/Guardium Data Encryptionllm-fuzzy
Range: <=4.0.0.7
IBM/Guardium Data Encryptionv5
Range: 4.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

exchange.xforce.ibmcloud.com/vulnerabilities/213855mitrevdb-entryx_refsource_XF
www.ibm.com/support/pages/node/6579773mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000