IBM5022122B9E380AB767FE5E398437B24A8A7FA32600F198DAB715720A59734445Security Bulletin: Insufficient command validation in IBM Security Information Queue (CVE-2020-4282)
0.001 Low
EPSS
Percentile
19.6%
Summary
IBM Security Information Queue (ISIQ) does not implement encoding or escaping of command requests that originate in the web UI. For example, it would be possible to intercept a product configuration request, and replace the product name with illegal characters. As of v1.0.6, ISIQ performs back-end validation to ensure that commands have not been tampered with.
Vulnerability Details
CVEID:CVE-2020-4282
**DESCRIPTION:**IBM Security Information Queue (ISIQ) could allow an authenticated user to perform unauthorized actions by bypassing illegal character restrictions.
CVSS Base score: 3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176205 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Security Information Queue (ISIQ) | 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 |
Remediation/Fixes
Download and install the latest IBM Security Information Queue images (tagged at 1.0.6 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit>
Workarounds and Mitigations
None
Related
0.001 Low
EPSS
Percentile
19.6%