Tuesday, April 7, 2020

Security Bulletin: IBM Security Information Queue does not invalidate sessions after logout (CVE-2020-4291)

IBM Security Information Queue (ISIQ) session identifiers are not properly invalidated upon user logout from ISIQ’s web UI. This create opportunities for an attacker to hijack a user session token. As of v1.0.6, ISIQ immediately invalidates the session token when a user logs out.

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6172545

The post Security Bulletin: IBM Security Information Queue does not invalidate sessions after logout (CVE-2020-4291) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team https://ift.tt/34iMe2l

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.