CVE-2025-36011 – IBM Jazz for Service Management versions 1.1.3.... (How to Fix)

Q: What is the severity of CVE-2025-36011?

CVE-2025-36011 has a CVSS score of 4.3 (MEDIUM). IBM Jazz for Service Management versions 1.1.3.0 through 1.1.3.24 fail to set the secure attribute on authorization tokens and session cookies, allowing attackers to intercept these cookies via HTTP links. This affects organizations using vulnerable versions of IBM Jazz for Service Management, potentially exposing user sessions to unauthorized access.

📋 TL;DR

IBM Jazz for Service Management versions 1.1.3.0 through 1.1.3.24 fail to set the secure attribute on authorization tokens and session cookies, allowing attackers to intercept these cookies via HTTP links. This affects organizations using vulnerable versions of IBM Jazz for Service Management, potentially exposing user sessions to unauthorized access.

💻 Affected Systems

Products:

IBM Jazz for Service Management

Versions: 1.1.3.0 through 1.1.3.24

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configurations where cookies lack the secure attribute.

📦 What is this software?

Jazz For Service Management by Ibm

View all CVEs affecting Jazz For Service Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies via man-in-the-middle attacks on HTTP connections, leading to unauthorized access to the Jazz for Service Management application and potential data exposure or manipulation.

🟠

Likely Case

Session hijacking where attackers capture user cookies from HTTP traffic, gaining access to authenticated sessions within the application.

🟢

If Mitigated

With proper HTTPS enforcement and secure cookie attributes, the risk is reduced to minimal as cookies would only transmit over encrypted channels.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires tricking users into clicking HTTP links or intercepting network traffic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.3.25 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7244357

Restart Required: No

Instructions:

1. Upgrade to IBM Jazz for Service Management version 1.1.3.25 or later. 2. Apply the fix as per IBM's instructions in the advisory.

🔧 Temporary Workarounds

Enforce HTTPS Only

all

Configure the application to use HTTPS exclusively and set secure cookie attributes.

Configure web server to redirect all HTTP traffic to HTTPS
Set secure flag on cookies in application configuration

🧯 If You Can't Patch

Implement strict network segmentation to limit access to the application
Use web application firewalls (WAF) to monitor and block cookie theft attempts

🔍 How to Verify

Check if Vulnerable:

Check if cookies lack the secure attribute by inspecting HTTP responses or using browser developer tools.

Check Version:

Check the application version in the admin console or via version files.

Verify Fix Applied:

Verify that cookies now have the secure attribute set and are only transmitted over HTTPS.

📡 Detection & Monitoring

Log Indicators:

Unusual login patterns or session hijacking attempts in access logs

Network Indicators:

HTTP traffic containing session cookies or unauthorized cookie interception

SIEM Query:

source="web_logs" AND (cookie_transmission="insecure" OR http_request="GET /login")

📊 Metadata

CVE ID: CVE-2025-36011

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE: CWE-614

EPSS Score: 0.01% exploit probability (1.2th percentile)

Published: September 9, 2025

Last Updated: October 3, 2025

🔗 References

https://www.ibm.com/support/pages/node/7244357 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-36011, you might also want to check these: