Lucene search

K
ibmIBM509EE5DEA628EA6096176F09E0AB7844A6EDEB4121954C982B4E81CEE84B231D
HistoryApr 07, 2020 - 4:32 p.m.

Security Bulletin: IBM Security Information Queue does not set the HttpOnly flag in session cookies (CVE-2020-4289)

2020-04-0716:32:55
www.ibm.com
6

0.001 Low

EPSS

Percentile

42.1%

Summary

IBM Security Information Queue (ISIQ) does not sufficiently protect session cookies by setting the HttpOnly flag. Consequently, a client-side script could obtain sensitive information from an ISIQ cookie. As of v1.0.6, ISIQ sets the HttpOnly flag.

Vulnerability Details

CVEID:CVE-2020-4289
**DESCRIPTION:**IBM Security Information Queue (ISIQ) could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176332 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5

Remediation/Fixes

Download and install the latest IBM Security Information Queue images (tagged at 1.0.6 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit&gt;

Workarounds and Mitigations

None

0.001 Low

EPSS

Percentile

42.1%

Related for 509EE5DEA628EA6096176F09E0AB7844A6EDEB4121954C982B4E81CEE84B231D