CVE-2017-9280 - OpenCVE

Some NetIQ Identity Manager Applications before Identity Manager 4.5.6.1 included the session token in GET URLs, potentially allowing exposure of user sessions to untrusted third parties via proxies, referer urls or similar.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Netiq	Identity Manager

Configuration 1 [-]

cpe:2.3:a:netiq:identity_manager:*:*:*:*:*:*:*:*

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=1049143
https://download.novell.com/Download?buildid=K7lbPAGJyIk~

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: microfocus

Published: 2017-09-11T00:00:00

Updated: 2021-01-06T16:16:01

Reserved: 2017-05-29T00:00:00

Link: CVE-2017-9280

JSON object: View

NVD Information

Status : Modified

Published: 2018-03-02T20:29:00.957

Modified: 2023-11-07T02:50:41.780

Link: CVE-2017-9280

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Identity Manager Applications", "vendor": "NetIQ", "versions": [{"lessThan": "4.5.6.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2017-09-11T00:00:00", "descriptions": [{"lang": "en", "value": "Some NetIQ Identity Manager Applications before Identity Manager 4.5.6.1 included the session token in GET URLs, potentially allowing exposure of user sessions to untrusted third parties via proxies, referer urls or similar."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "information exposure due to unencrypted credentials in GET Urls", "lang": "en", "type": "text"}]}, {"descriptions": [{"cweId": "CWE-598", "description": "CWE-598", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-06T16:16:01", "orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "microfocus"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1049143"}], "source": {"defect": ["1049143"], "discovery": "EXTERNAL"}, "title": "Novell Identity Manager User Application get request url contains the session token.", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@microfocus.com", "DATE_PUBLIC": "2017-09-11T00:00:00.000Z", "ID": "CVE-2017-9280", "STATE": "PUBLIC", "TITLE": "Novell Identity Manager User Application get request url contains the session token."}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Identity Manager Applications", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_value": "4.5.6.1"}]}}]}, "vendor_name": "NetIQ"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Some NetIQ Identity Manager Applications before Identity Manager 4.5.6.1 included the session token in GET URLs, potentially allowing exposure of user sessions to untrusted third parties via proxies, referer urls or similar."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "information exposure due to unencrypted credentials in GET Urls"}]}, {"description": [{"lang": "eng", "value": "CWE-598"}]}]}, "references": {"reference_data": [{"name": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~", "refsource": "CONFIRM", "url": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~"}, {"name": "https://bugzilla.suse.com/show_bug.cgi?id=1049143", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1049143"}]}, "source": {"defect": ["1049143"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "assignerShortName": "microfocus", "cveId": "CVE-2017-9280", "datePublished": "2017-09-11T00:00:00", "dateReserved": "2017-05-29T00:00:00", "dateUpdated": "2021-01-06T16:16:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netiq:identity_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "B66D9825-C8A9-45E2-B932-BA2444FCA62E", "versionEndExcluding": "4.5.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Some NetIQ Identity Manager Applications before Identity Manager 4.5.6.1 included the session token in GET URLs, potentially allowing exposure of user sessions to untrusted third parties via proxies, referer urls or similar."}, {"lang": "es", "value": "Algunas versiones de NetIQ Identity Manager Applications anteriores a la Identity Manager 4.5.6.1 inclu\u00edan el token de sesi\u00f3n en las URL GET. Esto podr\u00eda permitir se expongan sesiones de usuario a terceros mediante proxies, url de referencia o similares."}], "id": "CVE-2017-9280", "lastModified": "2023-11-07T02:50:41.780", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@opentext.com", "type": "Secondary"}]}, "published": "2018-03-02T20:29:00.957", "references": [{"source": "security@opentext.com", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1049143"}, {"source": "security@opentext.com", "url": "https://download.novell.com/Download?buildid=K7lbPAGJyIk~"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-598"}], "source": "security@opentext.com", "type": "Secondary"}]}