Each configured product in IBM Security Information Queue (ISIQ) has an owner who controls access to the product. It’s possible for an attacker to intercept a product configuration request object and change the owner value, which would grant unauthorized access. As of v1.0.6, a product’s owner is no longer determined by the configuration request object, and thus is not subject to modification.
Affected product(s) and affected version(s):
| Affected Product(s) | Version(s) |
| IBM Security Information Queue (ISIQ) | 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 |
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www.ibm.com/support/pages/node/6172599
The post Security Bulletin: IBM Security Information Queue does not prevent a product's owner from being modified (CVE-2020-4290) appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team https://ift.tt/39RpMyr
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.