IBM38891F97FDD1B3C5E1321F8C63035C7C92A14674B58BB186C985EA9AC16DEFA0Security Bulletin: IBM MQ is affected by a sensitive information disclosure vulnerability (CVE-2023-28514)
6.2 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
5.1%
Summary
An issue was identified with IBM MQ tracing logic that meant under certain circumstances sensitive data could be captured while IBM MQ trace was running. This data would be stored in plain text within the IBM MQ trace files.
Vulnerability Details
CVEID:CVE-2023-28514
**DESCRIPTION:**IBM MQ 8.0, 9.0, and 9.1 could allow a local user to obtain sensitive credential information when a detailed technical error message is returned in a stack trace. IBM X-Force ID: 250398.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250398 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ for HPE NonStop | 8.1.0 |
Remediation/Fixes
| IBM MQ V8.1 for HPE NonStop | 8.1.0.16 | IT43079 | Upgrade to CSU 8.1.0.16 |
|---|
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm mq for hpe nonstop | eq | 8.1 | |
| ibm mq for hpe nonstop | eq | 8.1 |
Related
6.2 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.0004 Low
EPSS
Percentile
5.1%