#VU41705 Information disclosure in Operational Decision Manager
Vulnerability identifier: #VU41705
Vulnerability risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Operational Decision Manager
Client/Desktop applications /
Office applications
Vendor: IBM Corporation
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The RES Console in Rule Execution Server in IBM Operational Decision Manager 7.5 before FP3 IF37, 8.0 before MP1 FP2, and 8.5 before MP1 IF26 does not send appropriate Cache-Control HTTP headers, which allows remote attackers to obtain sensitive information by leveraging an unattended workstation.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Operational Decision Manager: 7.5 - 8.5
External links
http://www-01.ibm.com/support/docview.wss?uid=swg21671324
http://exchange.xforce.ibmcloud.com/vulnerabilities/92573
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
