CVE-2023-1656 - OpenCVE

Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Forgerock	Ldap Connector

Configuration 1 [-]

cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*

References

Link	Resource
https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14	Permissions Required
https://backstage.forgerock.com/knowledge/kb/article/a14149722	Mitigation Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: ForgeRock

Published: 2023-03-29T19:55:13.974Z

Updated: 2023-03-29T19:55:21.060Z

Reserved: 2023-03-27T14:07:18.820Z

Link: CVE-2023-1656

JSON object: View

NVD Information

Status : Modified

Published: 2023-03-29T20:15:07.393

Modified: 2023-11-07T04:04:31.210

Link: CVE-2023-1656

JSON object: View

Redhat Information

No data.

CWE

CWE-319

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-1656", "assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "state": "PUBLISHED", "assignerShortName": "ForgeRock", "dateReserved": "2023-03-27T14:07:18.820Z", "datePublished": "2023-03-29T19:55:13.974Z", "dateUpdated": "2023-03-29T19:55:21.060Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "LDAP Connector", "platforms": ["Windows", "MacOS", "Linux"], "product": "OpenIDM and Java Remote Connector Server (RCS)", "vendor": "ForgeRock Inc.", "versions": [{"lessThanOrEqual": "1.5.20.13", "status": "affected", "version": "1.5.20.9", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.<p>This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.</p>"}], "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\n\n"}], "impacts": [{"capecId": "CAPEC-555", "descriptions": [{"lang": "en", "value": "CAPEC-555 Remote Services with Stolen Credentials"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "shortName": "ForgeRock", "dateUpdated": "2023-03-29T19:55:21.060Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"}, {"tags": ["product"], "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to LDAP connector version 1.5.20.14 or later"}], "value": "Upgrade to LDAP connector version 1.5.20.14 or later"}], "source": {"advisory": "202303", "discovery": "EXTERNAL"}, "title": "When the LDAP connector is started with StartTLS configured, LDAP BIND credentials are transmitted insecurely, prior to establishing the TLS connection. ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6C49376-B78D-4BCF-A2A3-710F066094AF", "versionEndExcluding": "1.5.20.14", "versionStartIncluding": "1.5.20.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\n\n"}], "id": "CVE-2023-1656", "lastModified": "2023-11-07T04:04:31.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "psirt@forgerock.com", "type": "Secondary"}]}, "published": "2023-03-29T20:15:07.393", "references": [{"source": "psirt@forgerock.com", "tags": ["Permissions Required"], "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"}, {"source": "psirt@forgerock.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"}], "sourceIdentifier": "psirt@forgerock.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "psirt@forgerock.com", "type": "Secondary"}]}