CVE-2020-4292

Vulnerability

IBM Security Information Queue (ISIQ) versions 1.0.0, 1.0.1, 1.0.2, 1.0.3, and 1.0.4 use a cross-domain policy file that includes domains that should not be trusted [1]. This results in an overly permissive cross-origin resource sharing (CORS) policy, allowing all origins to access the ISIQ Web Server resources when such cross-domain accesses are unnecessary for ISIQ functionality [1].

Exploitation

An attacker can exploit this vulnerability from any network position by crafting a cross-origin request to the ISIQ web server [1]. No authentication or user interaction is required; the attacker only needs to entice a user's browser (or other client) that has access to the ISIQ server to make a cross-origin request. The CVSS vector indicates high attack complexity (AC:H), suggesting that specific conditions or timing may be needed for successful exploitation [1].

Impact

A successful exploit could allow the attacker to disclose sensitive information from the ISIQ server [1]. The impact is limited to confidentiality (C:L), with no integrity or availability impact, and affects only resources accessible via the web server [1].

Mitigation

IBM has fixed the issue in ISIQ version 1.0.5, which no longer permits cross-origin resource sharing [1]. Users should upgrade to version 1.0.5 or later. No workarounds are available for earlier versions [1].