CVE-2024-45671 IBM Security Verify Information Queue information disclosure

IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information...

CVE-2024-47120 IBM Security Verify Information Queue code execution

IBM Security Verify Information Queue 10.0.5, 10.0.6, 10.0.7, and 10.0.8 could allow a privileged user to escalate their privileges and attack surface on the host due to the containers running with unnecessary privileges...

Security Bulletin: IBM Security Verify Information Queue displays the Grafana signing key when setting up the logs stack (CVE-2021-20412)

Summary IBM Security Verify Information Queue ISIQ offers an optional logs stack to demonstrate logging and monitoring. Among the stack's components is a Grafana dashboard. The initialization file for Grafana contains a hard-coded signing key. As of ISIQ v10.0.0, this signing key has been removed...

Security Bulletin: IBM Security Verify Information Queue does not hide the InfluxDB credentials when setting up the logs stack (CVE-2021-20410)

Summary IBM Security Verify Information Queue ISIQ offers an optional logs stack to demonstrate logging and monitoring. The logs stack YAML file has parameters for defining an InfluxDB instance. The parameters include the InfluxDB user and password credentials. As of ISIQ v10.0.0, these credentia...

Security Bulletin: IBM Security Verify Information Queue discloses sensitive information in source code (CVE-2021-20407)

Summary The source code for a Node.js package used by IBM Security Verify Information Queue ISIQ includes the email address of one of the developers of the package. As of v10.0.0, ISIQ is now hiding this sensitive information. Vulnerability Details CVEID:CVE-2021-20407 DESCRIPTION: IBM Security...

Security Bulletin: IBM Security Verify Information Queue uses a relatively weak cryptographic algorithm to protect application data (CVE-2021-20406)

Summary The cryptographic algorithm that IBM Security Verify Information Queue ISIQ uses to encrypt and decrypt application data has a JSON web token JWT signing key that is shorter than the recommended length. As of v10.0.0, ISIQ has doubled the length of its JWT signing key to be in compliance...

Security Bulletin: IBM Security Verify Information Queue has a third-party library vulnerability (CVE-2023-43642)

Summary IBM Security Verify Information Queue ISIQ v10.0.7 has upgraded its Apache Kafka client to remediate a vulnerability in the snappy-java compression library. Vulnerability Details CVEID:CVE-2023-43642 DESCRIPTION: snappy-java is vulnerable to a denial of service, caused by missing upper...

Security Bulletin: IBM Security Verify Information Queue has multiple information exposure vulnerabilities (CVE-2023-33833, CVE-2023-33834, CVE-2023-33835)

Summary IBM Security Verify Information Queue ISIQ v10.0.6 has remediated several vulnerabilities in which internal product details were being disclosed that could be exploited for harmful attacks. Vulnerability Details CVEID:CVE-2023-33835 DESCRIPTION: IBM Security Verify Information Queue could...

Security Bulletin: IBM Security Verify Information Queue has multiple third-party library vulnerabilities

Summary IBM Security Verify Information Queue ISIQ v10.0.5 has remediated vulnerabilities in the third-party libraries that it uses. Vulnerability Details CVEID:CVE-2022-41946 DESCRIPTION: Postgresql JDBC could allow a local authenticated attacker to obtain sensitive information, caused by not...

PT-2022-22689 · Ibm · Ibm Security Verify Information Queue

Name of the Vulnerable Software and Affected Versions: IBM Security Verify Information Queue version 10.0.2 Description: The issue concerns hard-coded credentials, such as a password or cryptographic key, used by IBM Security Verify Information Queue for inbound authentication, outbound...

Security Bulletin: A failed attempt to regenerate an IBM Security Verify Information Queue API token reveals sensitive data (CVE-2022-35288)

Summary When a malformed request to regenerate an external API token is sent to IBM Security Verify Information Queue ISIQ v10.0.2, the resulting error message reveals sensitive data. ISIQ v10.0.3 has remediated this information exposure vulnerability. CVE-2022-35288 Vulnerability Details...

Security Bulletin: IBM Security Verify Information Queue distributes configuration files with hard-coded credentials (CVE-2022-35287)

Summary IBM Security Verify Information Queue ISIQ v10.0.2 includes YAML files and property files with hard-coded credentials. ISIQ v10.0.3 has removed these files from the installation package since they are not required for product operation. CVE-2022-35287 Vulnerability Details...

Security Bulletin: Audit events query facility in IBM Security Verify Information Queue is vulnerable to SQL injection (CVE-2022-35285)

Summary The query facility in the Audit Events UI of IBM Security Verify Information Queue ISIQ v10.0.2 is vulnerable to SQL injection. This could allow an attacker to use cross-site request forgery for the purpose of executing unauthorized actions. ISIQ v10.0.3 has secured the Audit Events UI to...

Security Bulletin: Session cookie used by IBM Security Verify Information Queue is not properly secured (CVE-2022-35284)

Summary IBM Security Verify Information Queue ISIQ v10.0.2 does not set the SameSite attribute in the ISIQ session cookie. As a result, any CSRF protections offered by the attribute are disabled. ISIQ v10.0.3 is now correctly setting the SameSite attribute. CVE-2022-35284 Vulnerability Details...

Security Bulletin: IBM Security Verify Information Queue uses an Oracle JDBC jar with multiple vulnerabilities (CVE-2019-2444, CVE-2019-2619, CVE-2017-10321, CVE-2017-10202)

Summary The connect image in IBM Security Verify Information Queue ISIQ v10.0.2 uses an older version of the Oracle JDBC jar file that has multiple vulnerabilities. ISIQ v10.0.3 upgraded its connect image to include a newer Oracle JDBC jar that remediates the vulnerabilities. CVE-2019-2444,...

Security Bulletin: IBM Security Verify Information Queue uses a Wire Schema jar with multiple vulnerabilities (CVE-2020-27853, CVE-2021-41093)

Summary The connect image in IBM Security Verify Information Queue ISIQ v10.0.2 uses an older version of the Wire Schema jar file that is vulnerable to remote attackers. ISIQ v10.0.3 upgraded its connect image to include a newer Wire Schema jar that remediates the vulnerabilities. CVE-2020-27853,...

Security Bulletin: Multiple vulnerabilities in IBM Security Verify Information Queue connect image (CVE-2020-9493, CVE-2022-23307)

Summary The connect image in IBM Security Verify Information Queue ISIQ v10.0.2 uses a Confluent-provided Apache Log4j library. The library includes a log-viewing component known as Chainsaw that has two deserialization flaws. ISIQ v10.0.3 upgraded its connect image to specify a newer Apache Log4...

Security Bulletin: OpenSSL vulnerabilities in the IBM Security Verify Information Queue web server (CVE-2021-3711, CVE-2021-3712)

Summary The web server in IBM Security Verify Information Queue ISIQ v10.0.2 uses an older Node.js version with two known OpenSSL vulnerabilities. ISIQ v10.0.3 upgraded to a Node.js version that includes a newer OpenSSL to remediate the vulnerabilities. CVE-2021-3711, CVE-2021-3712 Vulnerability...

Security Bulletin: IBM Security Verify Information Queue uses a Node.js proxy library that has a known vulnerability (183561)

Summary The web server in IBM Security Verify Information Queue ISIQ uses an older version of the http-proxy package that has a known vulnerability to a denial of service. As of v10.0.0, ISIQ has upgraded to a newer, secure version of http-proxy. Vulnerability Details Third Party Entry: 183561...

CVE-2021-20405

IBM Security Verify Information Queue 1.0.6 and 1.0.7 could allow a user to perform unauthorized activities due to improper encoding of output. IBM X-Force ID: 196183...