CVE-2019-4219

Vulnerability

A vulnerability in IBM Security Information Queue (ISIQ) versions 1.0.0, 1.0.1, and 1.0.2 causes the application to generate error messages that include sensitive internal information. This information leakage occurs when the application encounters errors and displays them to users. The affected versions are prior to 1.0.3 [1].

Exploitation

An attacker with low privileges (authenticated user) can trigger application errors or observe error messages that contain sensitive data. No special network position is required beyond normal access to the ISIQ interface. The attacker can then use the leaked information to plan further attacks [1].

Impact

Successful exploitation results in limited information disclosure (confidentiality impact). The sensitive data exposed could include internal configuration details or system information that helps the attacker compromise the system further. The CVSS vector indicates low confidentiality impact, no integrity or availability impact [1].

Mitigation

The fix is included in ISIQ version 1.0.3, which is available from the IBM Docker Hub repository (tagged at 1.0.3 or greater). Users should upgrade to 1.0.3 or later. No workarounds are described in the bulletin. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].