CVE-2020-4164

Vulnerability

IBM Security Information Queue (ISIQ) versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 may include sensitive information in application error messages. This occurs when the application encounters certain errors and outputs diagnostic details that could contain credentials, configuration data, or other sensitive values. The vulnerability is addressed in version 1.0.6. [1]

Exploitation

An attacker with network access and valid administrative privileges (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) can trigger application errors that cause ISIQ to output error messages containing sensitive data. No user interaction is required beyond the attacker's authenticated actions. The attacker must be able to observe the error output, which may be logged or displayed in the application interface. [1]

Impact

Successful exploitation leads to limited disclosure of sensitive information (confidentiality impact: low). The exposed data could be used in further attacks against the system, potentially escalating privileges or compromising other components. No integrity or availability impact is reported. [1]

Mitigation

IBM released ISIQ version 1.0.6 which removes sensitive data from error messages. Users should upgrade to 1.0.6 or later. No workarounds are provided by IBM. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog. [1]