Each configured product in IBM Security Information Queue (ISIQ) has an owner who controls access to the product. It’s possible for an attacker to intercept a product configuration request object and change the owner value, which would grant unauthorized access. As of v1.0.6, a product’s owner is no longer determined by the configuration request object, and thus is not subject to modification.
CVEID:CVE-2020-4290
**DESCRIPTION:**IBM Security Information Queue (ISIQ) could allow any authenticated user to spoof the configuration owner of any other user which disclose sensitive information or allow for unauthorized access.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176333 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Security Information Queue (ISIQ) | 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 |
Download and install the latest IBM Security Information Queue images (tagged at 1.0.6 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit>
None