IBM MQ Appliance has resolved a sensitive information disclosure vulnerability initially reported by the IBM DataPower Gateway.
CVEID:CVE-2020-5008
**DESCRIPTION:**IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 store sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193033 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Appliance | 9.2 CD |
IBM MQ Appliance | 9.2 LTS |
IBM MQ Appliance | 9.1 CD |
IBM MQ Appliance | 9.1 LTS |
This vulnerability is addressed under APAR IT37174.
IBM MQ Appliance version 9.1 LTS
Apply fixpack 9.1.0.9, or later firmware.
IBM MQ Appliance version 9.1 CD
Upgrade to 9.2.3 CD release, or later firmware.
IBM MQ Appliance version 9.2 LTS
Apply fixpack 9.2.0.3, or later firmware.
IBM MQ Appliance version 9.2 CD
Upgrade to 9.2.3 CD release, or later firmware.
None