EUVD-2025-209018
GHSA-68qv-w55v-9mrv
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 does not invalidate a session after privileges have been modified which could allow an authenticated user to retain access to sensitive information. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CWE: CWE-613: Insufficient Session Expiration CVSS Source: IBM CVSS Base score: 6.3 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Analysis
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 fail to invalidate user sessions when administrative privileges are revoked, allowing authenticated users to retain access to sensitive information they should no longer be able to access. The vulnerability affects the session management layer and requires an authenticated attacker with initial system access. A patch is available from IBM, and this represents a privilege escalation and information disclosure risk in enterprise data integration environments.
Technical Context
This vulnerability stems from insufficient session expiration handling (CWE-613) in the IBM InfoSphere Information Server application, which is an enterprise data integration and metadata management platform. The root cause is that the application does not properly invalidate or refresh session tokens when a user's access control list (ACL) or role assignments are modified by administrators. In secure session management, privilege changes should trigger immediate session termination and re-authentication, forcing the system to recalculate authorization boundaries. Instead, InfoSphere Information Server allows the session to persist with cached privilege information, enabling users to bypass newly-applied restrictions. This affects versions spanning the 11.7.x branch (11.7.0.0 through 11.7.1.6 per CPE cpe:2.3:a:ibm:infosphere_information_server) and represents a foundational flaw in how the application manages the relationship between session state and dynamic privilege changes.
Affected Products
IBM InfoSphere Information Server versions 11.7.0.0 through 11.7.1.6 are affected, as confirmed by CPE cpe:2.3:a:ibm:infosphere_information_server. The vulnerability has been documented by IBM with a patch available. See the vendor security advisory for detailed version information and patch applicability at https://www.ibm.com/support/pages/node/7266696.
Remediation
Apply the security patch provided by IBM for InfoSphere Information Server immediately. Organizations using versions 11.7.0.0 through 11.7.1.6 should upgrade to the patched version specified in the IBM security bulletin at https://www.ibm.com/support/pages/node/7266696. Until patches can be deployed, implement compensating controls by enforcing mandatory session re-authentication (15-30 minute session timeout) and implementing real-time privilege change notifications to users with an automated logout trigger on privilege modification. Additionally, monitor session activity logs for privilege changes and correlate with subsequent data access events to detect attempted exploitation. Restrict network access to the InfoSphere Information Server console to trusted administrative IP ranges and enforce multi-factor authentication for all administrative accounts managing user roles.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today