CVE-2020-4284

Vulnerability

IBM Security Information Queue (ISIQ) versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 do not implement a mechanism to terminate idle Web UI sessions. This insufficient timeout functionality allows an unattended session to remain active indefinitely, potentially exposing sensitive information to unauthorized users who gain physical or remote access to the browser [1].

Exploitation

An attacker with access to an unattended ISIQ Web UI session (e.g., after the legitimate user leaves the workstation without logging out) can interact with the application using the existing session. No authentication is required beyond the already-established session. The attacker can navigate the UI and access any functionality available to the authenticated user [1].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive information accessible through the ISIQ Web UI. The CVSS v3.0 base score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating low confidentiality impact with no impact on integrity or availability [1].

Mitigation

The fix is included in IBM Security Information Queue version 1.0.6, which automatically terminates sessions after 60 minutes of inactivity. The timeout value is configurable. As a workaround, users should always log out of the ISIQ UI after completing configuration tasks [1].