IBM Security Access Manager 9.0.1 through 9.0.6 does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) a

The primary impact of CVE-2019-4150 is the potential for an attacker to conduct a man-in-the-middle attack. By successfully spoofing a trusted certificate, an attacker could intercept and potentially modify sensitive communications between users and the IBM Security Access Manager system. This could lead to unauthorized access to resources, data breaches, and compromise of user credentials. While the CVSS score is LOW, the potential for data exfiltration and disruption makes this a concern, particularly in environments with stringent security requirements.

Organizations utilizing IBM Security Access Manager versions 9.0.1 through 9.0.6, particularly those handling sensitive data or operating in environments with high security requirements, are at risk. Environments relying on certificate-based authentication are especially vulnerable.

1. 2019-06-25Disclosure

   disclosure

1. Gereserveerd2019-01-03
2. Gepubliceerd2019-06-25
3. Gewijzigd2024-09-17
4. EPSS bijgewerkt2026-04-02

The recommended mitigation for CVE-2019-4150 is to upgrade to IBM Security Access Manager version 9.0.7 or later, which includes the fix for this certificate validation issue. If immediate upgrade is not possible, consider implementing network segmentation to limit the potential impact of a successful attack. Review and strengthen certificate management policies to ensure proper validation and revocation procedures are in place. Monitor network traffic for suspicious activity indicative of MITM attacks.