IBM8E385BFF431211D7FA9D991454F472F5380380ADEA7D98FC78CF4A5E16BC4AAESecurity Bulletin: IBM MQ Appliance is affected by a sensitive information disclosure vulnerability (CVE-2020-5008)
0.001 Low
EPSS
Percentile
27.9%
Summary
IBM MQ Appliance has resolved a sensitive information disclosure vulnerability initially reported by the IBM DataPower Gateway.
Vulnerability Details
CVEID:CVE-2020-5008
**DESCRIPTION:**IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through 2018.4.1.14 store sensitive information in GET request parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 193033.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193033 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ Appliance | 9.2 CD |
| IBM MQ Appliance | 9.2 LTS |
| IBM MQ Appliance | 9.1 CD |
| IBM MQ Appliance | 9.1 LTS |
Remediation/Fixes
This vulnerability is addressed under APAR IT37174.
IBM MQ Appliance version 9.1 LTS
Apply fixpack 9.1.0.9, or later firmware.
IBM MQ Appliance version 9.1 CD
Upgrade to 9.2.3 CD release, or later firmware.
IBM MQ Appliance version 9.2 LTS
Apply fixpack 9.2.0.3, or later firmware.
IBM MQ Appliance version 9.2 CD
Upgrade to 9.2.3 CD release, or later firmware.
Workarounds and Mitigations
None
Related
0.001 Low
EPSS
Percentile
27.9%