IBM4D10C44979208617CF6C2DC15CD2CDB53DC2506370E02A68638B453F0A629C17Security Bulletin: IBM Security Information Queue has overly permissive CORS policy (CVE-2020-4292)
0.001 Low
EPSS
Percentile
27.9%
Summary
The cross-origin resource sharing (CORS) policy in IBM Security Information Queue (ISIQ) is too permissive. It allows all origins to access the ISIQ Web Server resources when such cross-domain accesses are unnecessary for ISIQ functionality. As of v1.0.5, ISIQ no longer permits cross-origin resource sharing.
Vulnerability Details
CVEID:CVE-2020-4292
**DESCRIPTION:**IBM Security Information Queue (ISIQ) uses a cross-domain policy file that includes domains that should not be trusted which could disclose sensitive information.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176335 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Security Information Queue (ISIQ) | 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4 |
Remediation/Fixes
Download and install the latest IBM Security Information Queue images (tagged at 1.0.5 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit>
Workarounds and Mitigations
None
Related
0.001 Low
EPSS
Percentile
27.9%