CVE-2019-4601

Vulnerability

IBM Quality Manager (RQM) versions 6.0.2, 6.0.6, and 6.0.6.1 contain a vulnerability that allows an authenticated user to obtain sensitive information from a stack trace [1]. The stack trace may be exposed through error messages or debug output when certain conditions are triggered. No specific configuration is required beyond having a valid authenticated session.

Exploitation

An attacker with any level of authenticated access to the RQM application can trigger an error that produces a stack trace containing sensitive information [1]. The attack is network-based (CVSS:3.0/AV:N) and requires no user interaction (UI:N). The exact steps to trigger the stack trace are not publicly documented, but the vulnerability is exploitable by any authenticated user.

Impact

Successful exploitation results in the disclosure of sensitive information from the stack trace, such as internal file paths, configuration details, or potentially credentials [1]. This information can aid the attacker in further attacks against the system. The confidentiality impact is low (C:L), with no direct impact on integrity or availability.

Mitigation

As of the publication date (April 8, 2020), IBM has not released a fix for this vulnerability, and no workarounds are documented in the security bulletin [1]. Affected versions remain vulnerable. Users should monitor IBM's support page for future updates.