Security Bulletin: IBM Security Verify Information Queue does not sufficiently protect the key that encrypts and decrypts product credentials (CVE-2021-20408)

Summary The key used by IBM Security Verify Information Queue ISIQ to encrypt and decrypt product credentials is stored in an ISIQ configuration file. To prevent unauthorized product access, this key should be better protected. As of v10.0.0, ISIQ is now using a separate Vault service to handle a...

Security Bulletin: IBM Security Verify Information Queue has multiple third-party library vulnerabilities (CVE-2024-1597, CVE-2023-26159)

Summary IBM Security Verify Information Queue ISIQ v10.0.8 has addressed vulnerabilities in the third-party libraries with an update. Vulnerability Details CVEID:CVE-2024-1597 DESCRIPTION: PostgreSQL JDBC Driver PgJDBC is vulnerable to SQL injection. A remote attacker could send specially crafted...

CVE-2023-33833 IBM Security Verify Information Queue information disclosure

IBM Security Verify Information Queue 10.0.4 and 10.0.5 stores sensitive information in plain clear text which can be read by a local user. IBM X-Force ID: 256013...

CVE-2022-35286

CVE-2022-35286 affects IBM Security Verify Information Queue (ISIQ) 10.0.2. The vulnerability is a cross-site request forgery (CSRF) in the web UI that could allow an attacker to perform malicious, unauthorized actions on behalf of a trusted user. The root cause relates to insufficient request ve...

CVE-2022-35284

IBM Security Verify Information Queue 10.0.2 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. IBM X-Force ID: 230811...

CVE-2022-35285

The CVE-2022-35285 entry concerns IBM Security Verify Information Queue (ISIQ) v10.0.2, where the Audit Events UI is vulnerable due to a SQL injection flaw that can be exploited to facilitate cross-site request forgery, enabling an attacker to perform unauthorized actions that the trusted user in...

CVE-2022-35284

IBM Security Verify Information Queue (ISIQ) 10.0.2 is vulnerable to information disclosure due to a missing/insecure SameSite attribute on a sensitive cookie. The issue affects ISIQ 10.0.2 and is addressed by upgrading to ISIQ 10.0.3 or newer. The lack of SameSite disables CSRF protections for t...

CVE-2022-35284

IBM Security Verify Information Queue 10.0.2 could disclose sensitive information due to a missing or insecure SameSite attribute for a sensitive cookie. IBM X-Force ID: 230811...

Security Bulletin: IBM Security Verify Information Queue uses a dom4j version with improper XXE restrictions (CVE-2020-10683)

Summary The products image in IBM Security Verify Information Queue ISIQ v10.0.2 uses an older version of the dom4j library that does not properly safeguard against XML External Entity XXE attacks. ISIQ v10.0.3 has upgraded its products image to include a newer dom4j level that remediates the...

Information disclosure

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle...

Information disclosure

IBM Security Verify Information Queue 1.0.6 and 1.0.7 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 196184...

CVE-2021-20411

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user to impersonate another user on the system due to incorrectly updating the session identifier. IBM X-Force ID: 198191...

CVE-2021-20410

IBM Security Verify Information Queue (ISIQ) versions 1.0.6 and 1.0.7 expose InfluxDB credentials via a logs stack YAML configuration, allowing an authenticated user to read credentials over the network through MITM. The issue is documented under CVE-2021-20410, with remediation advising customer...

CVE-2021-20403

IBM Security Verify Information Queue 1.0.6 and 1.0.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts...

CVE-2021-20405

CVE-2021-20405 affects IBM Security Verify Information Queue (ISIQ) versions 1.0.6 and 1.0.7. The root cause is improper encoding of output in web error/message handling, which could allow a user to perform unauthorized activities or disclose information via improperly encoded responses. IBM’s bu...

CVE-2021-20404

CVE-2021-20404 affects IBM Security Verify Information Queue (ISIQ) versions 1.0.6 and 1.0.7. The root cause is insufficient protection of session cookies, allowing modification that can cause login failures and a denial of service. The IBM advisory notes that starting with v10.0.0 the safeguards...