CVE-2020-4290

Vulnerability

IBM Security Information Queue (ISIQ) versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, and 1.0.5 contain a security flaw where the product's configuration owner is determined by a client-supplied request object. An authenticated user can modify the owner field in that object to claim ownership of any other configured product, thereby bypassing the intended access controls [1].

Exploitation

An attacker must be authenticated to the ISIQ instance. By intercepting or crafting a product configuration request, the attacker changes the owner value to a target user's identity. No special network position or user interaction is required beyond standard authenticated API access [1].

Impact

Successful exploitation allows the attacker to assume the configuration owner role of another user, which can lead to disclosure of sensitive configuration data and unauthorized access to managed products. The CIA outcome is limited to low confidentiality and low integrity impacts (CVSS 4.2) [1].

Mitigation

IBM fixed the issue in ISIQ version 1.0.6 by no longer deriving the owner from the configuration request object. Users should upgrade to 1.0.6 or later. No workarounds are available for earlier versions [1].