CVE-2022-0143 - OpenCVE

When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Forgerock	Ldap Connector

Configuration 1 [-]

cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://backstage.forgerock.com/downloads/browse/idm/featured/connectors
https://backstage.forgerock.com/knowledge/kb/article/a11380515

History

No history.

MITRE

Status: PUBLISHED

Assigner: ForgeRock

Published: 2022-09-19T21:15:51.349455Z

Updated: 2024-09-17T03:02:14.548Z

Reserved: 2022-01-07T00:00:00

Link: CVE-2022-0143

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-19T22:15:10.843

Modified: 2022-09-21T18:27:15.897

Link: CVE-2022-0143

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "LDAP Connector", "vendor": "ForgeRock", "versions": [{"lessThan": "1.5.20.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-09-19T00:00:00", "descriptions": [{"lang": "en", "value": "When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-19T21:15:51", "orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "shortName": "ForgeRock"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a11380515"}, {"tags": ["x_refsource_MISC"], "url": "https://backstage.forgerock.com/downloads/browse/idm/featured/connectors"}], "solutions": [{"lang": "en", "value": "Upgrade to LDAP connector 1.5.20.9 or later or disable the optional StartTLS feature in the LDAP connector."}], "source": {"advisory": "202206", "defect": ["https://bugster.forgerock.org/jira/browse/OPENICF-2103", "(not", "public)"], "discovery": "INTERNAL"}, "title": "LDAP Connector: When startTLS is used then LDAP connector ignores the wrong password", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@forgerock.com", "DATE_PUBLIC": "2022-09-19T17:38:00.000Z", "ID": "CVE-2022-0143", "STATE": "PUBLIC", "TITLE": "LDAP Connector: When startTLS is used then LDAP connector ignores the wrong password"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "LDAP Connector", "version": {"version_data": [{"version_affected": "<", "version_value": "1.5.20.9"}]}}]}, "vendor_name": "ForgeRock"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://backstage.forgerock.com/knowledge/kb/article/a11380515", "refsource": "MISC", "url": "https://backstage.forgerock.com/knowledge/kb/article/a11380515"}, {"name": "https://backstage.forgerock.com/downloads/browse/idm/featured/connectors", "refsource": "MISC", "url": "https://backstage.forgerock.com/downloads/browse/idm/featured/connectors"}]}, "solution": [{"lang": "en", "value": "Upgrade to LDAP connector 1.5.20.9 or later or disable the optional StartTLS feature in the LDAP connector."}], "source": {"advisory": "202206", "defect": ["https://bugster.forgerock.org/jira/browse/OPENICF-2103", "(not", "public)"], "discovery": "INTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:18:41.713Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a11380515"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://backstage.forgerock.com/downloads/browse/idm/featured/connectors"}]}]}, "cveMetadata": {"assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "assignerShortName": "ForgeRock", "cveId": "CVE-2022-0143", "datePublished": "2022-09-19T21:15:51.349455Z", "dateReserved": "2022-01-07T00:00:00", "dateUpdated": "2024-09-17T03:02:14.548Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*", "matchCriteriaId": "02E586F4-A76F-4965-9919-A925EC7B8951", "versionEndExcluding": "1.5.20.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)"}, {"lang": "es", "value": "Cuando el conector LDAP es iniciado con StartTLS configurado, es concedido acceso no autenticado. Este problema afecta a: todas las versiones del conector LDAP anteriores a 1.5.20.9. El conector LDAP es incluido con Identity Management (IDM) y Remote Connector Server (RCS)"}], "id": "CVE-2022-0143", "lastModified": "2022-09-21T18:27:15.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "psirt@forgerock.com", "type": "Secondary"}]}, "published": "2022-09-19T22:15:10.843", "references": [{"source": "psirt@forgerock.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://backstage.forgerock.com/downloads/browse/idm/featured/connectors"}, {"source": "psirt@forgerock.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a11380515"}], "sourceIdentifier": "psirt@forgerock.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "psirt@forgerock.com", "type": "Secondary"}]}