IBMFDF2118E14BC12AE519F5701CB6DE554494F052C3B78327C85C64F97DEE3942CSecurity Bulletin: IBM Security Information Queue does not prevent a product's owner from being modified (CVE-2020-4290)
0.001 Low
EPSS
Percentile
19.6%
Summary
Each configured product in IBM Security Information Queue (ISIQ) has an owner who controls access to the product. It’s possible for an attacker to intercept a product configuration request object and change the owner value, which would grant unauthorized access. As of v1.0.6, a product’s owner is no longer determined by the configuration request object, and thus is not subject to modification.
Vulnerability Details
CVEID:CVE-2020-4290
**DESCRIPTION:**IBM Security Information Queue (ISIQ) could allow any authenticated user to spoof the configuration owner of any other user which disclose sensitive information or allow for unauthorized access.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176333 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Security Information Queue (ISIQ) | 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 |
Remediation/Fixes
Download and install the latest IBM Security Information Queue images (tagged at 1.0.6 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit>
Workarounds and Mitigations
None
Related
0.001 Low
EPSS
Percentile
19.6%