CVE-2024-45669

IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a remote user to cause a denial of service due to improper handling of special characters that could lead to uncontrolled resource consumption...

CVE-2024-45671 IBM Security Verify Information Queue information disclosure

IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information...

CVE-2024-47120 IBM Security Verify Information Queue code execution

IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a privileged user to escalate their privileges and attack surface on the host due to the containers running with unnecessary privileges...

CVE-2024-47120 IBM Security Verify Information Queue code execution

IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a privileged user to escalate their privileges and attack surface on the host due to the containers running with unnecessary privileges...

Security Bulletin: IBM Security Verify Information Queue displays the Grafana signing key when setting up the logs stack (CVE-2021-20412)

Summary IBM Security Verify Information Queue ISIQ offers an optional logs stack to demonstrate logging and monitoring. Among the stack's components is a Grafana dashboard. The initialization file for Grafana contains a hard-coded signing key. As of ISIQ v10.0.0, this signing key has been removed...

Security Bulletin: IBM Security Verify Information Queue does not hide the InfluxDB credentials when setting up the logs stack (CVE-2021-20410)

Summary IBM Security Verify Information Queue ISIQ offers an optional logs stack to demonstrate logging and monitoring. The logs stack YAML file has parameters for defining an InfluxDB instance. The parameters include the InfluxDB user and password credentials. As of ISIQ v10.0.0, these credentia...

Security Bulletin: IBM Security Verify Information Queue does not always enable HTTP Strict Transport Security when sending error responses (CVE-2021-20409)

Summary The web server in IBM Security Verify Information Queue ISIQ does not add the HTTP Strict Transport Security header in its internally generated error responses. Consequently, a remote attacker could obtain sensitive information from an insecure HTTP connection. As of v10.0.0, ISIQ is...

Security Bulletin: IBM Security Verify Information Queue discloses sensitive information in source code (CVE-2021-20407)

Summary The source code for a Node.js package used by IBM Security Verify Information Queue ISIQ includes the email address of one of the developers of the package. As of v10.0.0, ISIQ is now hiding this sensitive information. Vulnerability Details CVEID:CVE-2021-20407 DESCRIPTION: IBM Security...

Security Bulletin: IBM Security Verify Information Queue uses a relatively weak cryptographic algorithm to protect application data (CVE-2021-20406)

Summary The cryptographic algorithm that IBM Security Verify Information Queue ISIQ uses to encrypt and decrypt application data has a JSON web token JWT signing key that is shorter than the recommended length. As of v10.0.0, ISIQ has doubled the length of its JWT signing key to be in compliance...

Security Bulletin: IBM Security Verify Information Queue has a third-party library vulnerability (CVE-2023-43642)

Summary IBM Security Verify Information Queue ISIQ v10.0.7 has upgraded its Apache Kafka client to remediate a vulnerability in the snappy-java compression library. Vulnerability Details CVEID:CVE-2023-43642 DESCRIPTION: snappy-java is vulnerable to a denial of service, caused by missing upper...

Security Bulletin: IBM Security Verify Information Queue has multiple information exposure vulnerabilities (CVE-2023-33833, CVE-2023-33834, CVE-2023-33835)

Summary IBM Security Verify Information Queue ISIQ v10.0.6 has remediated several vulnerabilities in which internal product details were being disclosed that could be exploited for harmful attacks. Vulnerability Details CVEID:CVE-2023-33835 DESCRIPTION: IBM Security Verify Information Queue could...

PT-2023-5221 · Ibm · Ibm Security Verify Information Queue

Name of the Vulnerable Software and Affected Versions: IBM Security Verify Information Queue versions 10.0.4 through 10.0.5 Description: The issue is related to a flaw in the error reporting mechanism of IBM Security Verify Information Queue, which could allow a remote attacker to obtain sensitiv...

Security Bulletin: IBM Security Verify Information Queue has multiple third-party library vulnerabilities

Summary IBM Security Verify Information Queue ISIQ v10.0.5 has remediated vulnerabilities in the third-party libraries that it uses. Vulnerability Details CVEID:CVE-2022-41946 DESCRIPTION: Postgresql JDBC could allow a local authenticated attacker to obtain sensitive information, caused by not...

CVE-2022-35286

IBM Security Verify Information Queue 10.0.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 230814...

Security Bulletin: IBM Security Verify Information Queue web UI is vulnerable to cross-site request forgery (CVE-2022-35286)

Summary IBM Security Verify Information Queue ISIQ may be vulnerable to cross-site request forgery. The code has been updated to address the issue. Vulnerability Details CVEID:CVE-2022-35286 DESCRIPTION: IBM Security Verify Information Queue is vulnerable to cross-site request forgery which could...

PT-2022-22689 · Ibm · Ibm Security Verify Information Queue

Name of the Vulnerable Software and Affected Versions: IBM Security Verify Information Queue version 10.0.2 Description: The issue concerns hard-coded credentials, such as a password or cryptographic key, used by IBM Security Verify Information Queue for inbound authentication, outbound...

Security Bulletin: A failed attempt to regenerate an IBM Security Verify Information Queue API token reveals sensitive data (CVE-2022-35288)

Summary When a malformed request to regenerate an external API token is sent to IBM Security Verify Information Queue ISIQ v10.0.2, the resulting error message reveals sensitive data. ISIQ v10.0.3 has remediated this information exposure vulnerability. CVE-2022-35288 Vulnerability Details...

Security Bulletin: IBM Security Verify Information Queue distributes configuration files with hard-coded credentials (CVE-2022-35287)

Summary IBM Security Verify Information Queue ISIQ v10.0.2 includes YAML files and property files with hard-coded credentials. ISIQ v10.0.3 has removed these files from the installation package since they are not required for product operation. CVE-2022-35287 Vulnerability Details...

Security Bulletin: Audit events query facility in IBM Security Verify Information Queue is vulnerable to SQL injection (CVE-2022-35285)

Summary The query facility in the Audit Events UI of IBM Security Verify Information Queue ISIQ v10.0.2 is vulnerable to SQL injection. This could allow an attacker to use cross-site request forgery for the purpose of executing unauthorized actions. ISIQ v10.0.3 has secured the Audit Events UI to...

Security Bulletin: Session cookie used by IBM Security Verify Information Queue is not properly secured (CVE-2022-35284)

Summary IBM Security Verify Information Queue ISIQ v10.0.2 does not set the SameSite attribute in the ISIQ session cookie. As a result, any CSRF protections offered by the attribute are disabled. ISIQ v10.0.3 is now correctly setting the SameSite attribute. CVE-2022-35284 Vulnerability Details...