Vulnerability in IBM Security Verify Let Attacker Extract Sensitive Information

Multiple Information Disclosure vulnerabilities were discovered in the IBM Security Verify Information Queue, which can reveal several internal product details. This information can then be used to conduct further attacks. 

IBM Security Verify Information Queue is a pub/sub-based product integrator that can be used for integrating data between IBM products.

It uses Kafka technology for integration, a distributed data store ingestion, and processing data in real time.

CVE-2023-33833, CVE-2023-33834, CVE-2023-33835: IBM Information Queue Disclosure

This vulnerability affects IBM Information Queue (ISIQ) versions prior to 10.0.4 and 10.0.5 as they store sensitive information in plaintext that can be read by a local user. 

The vulnerabilities CVE-2023-33834 and CVE-2023-33835 allow a remote attacker to access sensitive information, which assists in further attacks.

The CVSS score for these vulnerabilities has been given as CVE-2023-33833 (2.9), CVE-2023-33834 (5.3), and CVE-2023-33835 (5.3). All these vulnerabilities have the severity as Medium.

Affected Products and Fixed in Version

As per the security advisory of IBM, Products that are affected by these vulnerabilities and their fixed versions are given below.

Users of these products are recommended to upgrade to the latest version of IBM Security Verify Information Queue (10.0.6) to fix these vulnerabilities and prevent them from getting exploited by threat actors.

Source: https://cybersecuritynews.com/ibm-security-verify-flaw/