CVE-2019-4162

IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 is missing the HTTP Strict Transport Security header. Users can navigate by mistake to the unencrypted version of the web application or accept invalid certificates. This leads to sensitive data being sent unencrypted over the wire. IBM X-Force ID: 158661.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/158661	VDB Entry Vendor Advisory
https://www.ibm.com/support/docview.wss?uid=ibm10885963	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:security_information_queue:1.0.0:::::::*
	cpe:2.3:a:ibm:security_information_queue:1.0.1:::::::*
	cpe:2.3:a:ibm:security_information_queue:1.0.2:::::::*

History

No history.

Information

Published : 2019-06-06 21:29

Updated : 2023-12-10 12:59

NVD link : CVE-2019-4162

Mitre link : CVE-2019-4162

CVE.ORG link : CVE-2019-4162

JSON object : View

Products Affected

ibm

security_information_queue

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2019-4162", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Secondary", "source": "psirt@us.ibm.com", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-06-06T21:29:00.803", "references": [{"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158661", "tags": ["VDB Entry", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://www.ibm.com/support/docview.wss?uid=ibm10885963", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 is missing the HTTP Strict Transport Security header. Users can navigate by mistake to the unencrypted version of the web application or accept invalid certificates. This leads to sensitive data being sent unencrypted over the wire. IBM X-Force ID: 158661."}, {"lang": "es", "value": "Falta el encabezado de seguridad de transporte estricto de HTTP en la cola de informaci\u00f3n de seguridad de IBM (ISIQ) 1.0.0, 1.0.1 y 1.0.2. Los usuarios pueden navegar por error a la versi\u00f3n sin cifrar de la aplicaci\u00f3n web o aceptar certificados no v\u00e1lidos. Esto hace que los datos confidenciales se env\u00eden sin cifrar a trav\u00e9s del cable. ID de IBM X-Force: 158661."}], "lastModified": "2023-02-03T20:39:49.220", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:security_information_queue:1.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9C1648E-DC06-40C1-9402-DCEA495EA56E"}, {"criteria": "cpe:2.3:a:ibm:security_information_queue:1.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6AC11E98-3C57-436E-B47A-B5EE0ED200CD"}, {"criteria": "cpe:2.3:a:ibm:security_information_queue:1.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "44CEB32A-9E8E-429B-8196-CE3028B10846"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@us.ibm.com"}