IBM Security Information Queue (ISIQ) stores the JSON web token (JWT) secret in plain text in one of its YAML files. As of v1.0.5, ISIQ generates an encrypted JWT secret during product configuration.
CVEID:CVE-2020-4283
**DESCRIPTION:**IBM Security Information Queue (ISIQ) contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176206 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Security Information Queue (ISIQ) | 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4 |
Download and install the latest IBM Security Information Queue images (tagged at 1.0.5 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit>
None