CVE-2022-0143 - OpenCVE

When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Forgerock	Ldap Connector

Configuration 1 [-]

cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*

References

Link	Resource
https://backstage.forgerock.com/downloads/browse/idm/featured/connectors	Patch Vendor Advisory
https://backstage.forgerock.com/knowledge/kb/article/a11380515	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ForgeRock

Published: 2022-09-19T00:00:00

Updated: 2022-09-19T21:15:51

Reserved: 2022-01-07T00:00:00

Link: CVE-2022-0143

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-19T22:15:10.843

Modified: 2022-09-21T18:27:15.897

Link: CVE-2022-0143

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "LDAP Connector", "vendor": "ForgeRock", "versions": [{"lessThan": "1.5.20.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-09-19T00:00:00", "descriptions": [{"lang": "en", "value": "When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-19T21:15:51", "orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "shortName": "ForgeRock"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a11380515"}, {"tags": ["x_refsource_MISC"], "url": "https://backstage.forgerock.com/downloads/browse/idm/featured/connectors"}], "solutions": [{"lang": "en", "value": "Upgrade to LDAP connector 1.5.20.9 or later or disable the optional StartTLS feature in the LDAP connector."}], "source": {"advisory": "202206", "defect": ["https://bugster.forgerock.org/jira/browse/OPENICF-2103", "(not", "public)"], "discovery": "INTERNAL"}, "title": "LDAP Connector: When startTLS is used then LDAP connector ignores the wrong password", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@forgerock.com", "DATE_PUBLIC": "2022-09-19T17:38:00.000Z", "ID": "CVE-2022-0143", "STATE": "PUBLIC", "TITLE": "LDAP Connector: When startTLS is used then LDAP connector ignores the wrong password"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "LDAP Connector", "version": {"version_data": [{"version_affected": "<", "version_value": "1.5.20.9"}]}}]}, "vendor_name": "ForgeRock"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://backstage.forgerock.com/knowledge/kb/article/a11380515", "refsource": "MISC", "url": "https://backstage.forgerock.com/knowledge/kb/article/a11380515"}, {"name": "https://backstage.forgerock.com/downloads/browse/idm/featured/connectors", "refsource": "MISC", "url": "https://backstage.forgerock.com/downloads/browse/idm/featured/connectors"}]}, "solution": [{"lang": "en", "value": "Upgrade to LDAP connector 1.5.20.9 or later or disable the optional StartTLS feature in the LDAP connector."}], "source": {"advisory": "202206", "defect": ["https://bugster.forgerock.org/jira/browse/OPENICF-2103", "(not", "public)"], "discovery": "INTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "assignerShortName": "ForgeRock", "cveId": "CVE-2022-0143", "datePublished": "2022-09-19T00:00:00", "dateReserved": "2022-01-07T00:00:00", "dateUpdated": "2022-09-19T21:15:51", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*", "matchCriteriaId": "02E586F4-A76F-4965-9919-A925EC7B8951", "versionEndExcluding": "1.5.20.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)"}, {"lang": "es", "value": "Cuando el conector LDAP es iniciado con StartTLS configurado, es concedido acceso no autenticado. Este problema afecta a: todas las versiones del conector LDAP anteriores a 1.5.20.9. El conector LDAP es incluido con Identity Management (IDM) y Remote Connector Server (RCS)"}], "id": "CVE-2022-0143", "lastModified": "2022-09-21T18:27:15.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "psirt@forgerock.com", "type": "Secondary"}]}, "published": "2022-09-19T22:15:10.843", "references": [{"source": "psirt@forgerock.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://backstage.forgerock.com/downloads/browse/idm/featured/connectors"}, {"source": "psirt@forgerock.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a11380515"}], "sourceIdentifier": "psirt@forgerock.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "psirt@forgerock.com", "type": "Secondary"}]}