CVE-2023-1656

Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14	Permissions Required
https://backstage.forgerock.com/knowledge/kb/article/a14149722	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-03-29 20:15

Updated : 2023-11-07 04:04

NVD link : CVE-2023-1656

Mitre link : CVE-2023-1656

CVE.ORG link : CVE-2023-1656

JSON object : View

Products Affected

forgerock

ldap_connector

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2023-1656", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "psirt@forgerock.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2023-03-29T20:15:07.393", "references": [{"url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14", "tags": ["Permissions Required"], "source": "psirt@forgerock.com"}, {"url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722", "tags": ["Mitigation", "Vendor Advisory"], "source": "psirt@forgerock.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}, {"type": "Secondary", "source": "psirt@forgerock.com", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\n\n"}], "lastModified": "2023-11-07T04:04:31.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C6C49376-B78D-4BCF-A2A3-710F066094AF", "versionEndExcluding": "1.5.20.14", "versionStartIncluding": "1.5.20.9"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@forgerock.com"}