Executive Summary

This vulnerability in IBM OpenPages versions 9.0 and 9.1 involves the web page cache being stored locally using the HTTP caching directive 'Cache-Control: max-age=0' instead of the more secure 'Cache-Control: no-store'. Although 'max-age=0' marks content as stale, it still allows temporary storage in browsers or intermediary caches. This can lead to sensitive information being accessible to other users on the same system, representing a local information disclosure risk. [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can allow another user on the same system to read sensitive information cached locally by the web browser or intermediary caches. This local access could lead to unauthorized disclosure of sensitive data, although the impact on confidentiality is considered low and there is no impact on integrity or availability. [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should promptly apply the available fixes from IBM. Specifically, upgrade IBM OpenPages to version 9.1.1 or apply FixPack 5 and Interim Fix 5 for version 9.0. These updates change the HTTP caching directive from 'Cache-Control: max-age=0' to 'Cache-Control: no-store', preventing sensitive data from being cached locally. No other workarounds or mitigations are provided. [1]

Useful 0 Not Useful 0