Medium Severity

Security Bulletin: IBM Verify Gateway does not hide client secrets when debug tracing is active (CVE-2020-4372)

Share this post:

When the IBM Verify Gateway (IVG) components are run with debug tracing, client secrets such as the username, password, and client-id are included in the debug log. As of v1.0.1 of IVG for RADIUS and IVG for AIX PAM, and v1.0.2 of IVG for Linux PAM and IVG for Windows Login, these client secrets are suppressed when debug tracing is active.

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
IBM Verify Gateway (IVG) RADIUS 1.0.0
IBM Verify Gateway (IVG) PAM 1.0.0, 1.0.1
IBM Verify Gateway (IVG) WinLogin 1.0.0, 1.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin:

More stories

Security Bulletin: Insecure Use of InnerHTML or OuterHTML in IBM Enterprise Records

Sep 25, 2020 8:00 pm EDT | Medium Severity

It also is the case that we internally create the text to go into the HTML, not an external entity. more

Security Bulletin: Dynamically constructed href attribute in IBM Enterprise Records

Sep 25, 2020 8:00 pm EDT | Medium Severity

The place where this happens is believed to be dead code, but we do not want to just start deleting things in the code without sufficient time to test. more

Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-frame scripting

Sep 24, 2020 8:00 pm EDT | Medium Severity

A Cross-frame scripting vulnerability was addressed by IBM InfoSphere Information Server. more