IT27275: SENSITIVE INFORMATION DISCLOSURE (BASE64 BASIC AUTH CREDENTIALS REFLECTED BACK IN RESPONSE HEADER)
Fixes are available
Closed as duplicate of another APAR.
It was observed that one of the data power SOAP API calls is revealing Base64 encoded username and password in response headers. Sensitive information can range from user information such as login credentials, social security numbers, address, and account numbers to how an application is configured and structured. If an application discloses any of this information publicly, it can be catastrophic to its users, developers, and the company. An attacker can use the information to social engineer the users or site administration. An attacker could also use the information to corelate to certain available exploits which to the application's database or web server might be vulnerable.
This APAR is a duplicate of IT26030
Reported component name
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following: