CVE-2023-1656 - OpenCVE

Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Forgerock	Ldap Connector

Configuration 1 [-]

cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14
https://backstage.forgerock.com/knowledge/kb/article/a14149722

History

No history.

MITRE

Status: PUBLISHED

Assigner: ForgeRock

Published: 2023-03-29T19:55:13.974Z

Updated: 2024-08-02T05:57:24.650Z

Reserved: 2023-03-27T14:07:18.820Z

Link: CVE-2023-1656

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-03-29T20:15:07.393

Modified: 2023-11-07T04:04:31.210

Link: CVE-2023-1656

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1656", "assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "state": "PUBLISHED", "assignerShortName": "ForgeRock", "dateReserved": "2023-03-27T14:07:18.820Z", "datePublished": "2023-03-29T19:55:13.974Z", "dateUpdated": "2024-08-02T05:57:24.650Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "LDAP Connector", "platforms": ["Windows", "MacOS", "Linux"], "product": "OpenIDM and Java Remote Connector Server (RCS)", "vendor": "ForgeRock Inc.", "versions": [{"lessThanOrEqual": "1.5.20.13", "status": "affected", "version": "1.5.20.9", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.<p>This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.</p>"}], "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\n\n"}], "impacts": [{"capecId": "CAPEC-555", "descriptions": [{"lang": "en", "value": "CAPEC-555 Remote Services with Stolen Credentials"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "shortName": "ForgeRock", "dateUpdated": "2023-03-29T19:55:21.060Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"}, {"tags": ["product"], "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to LDAP connector version 1.5.20.14 or later"}], "value": "Upgrade to LDAP connector version 1.5.20.14 or later"}], "source": {"advisory": "202303", "discovery": "EXTERNAL"}, "title": "When the LDAP connector is started with StartTLS configured, LDAP BIND credentials are transmitted insecurely, prior to establishing the TLS connection. ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:57:24.650Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"}, {"tags": ["product", "x_transferred"], "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6C49376-B78D-4BCF-A2A3-710F066094AF", "versionEndExcluding": "1.5.20.14", "versionStartIncluding": "1.5.20.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\n\n"}], "id": "CVE-2023-1656", "lastModified": "2023-11-07T04:04:31.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "psirt@forgerock.com", "type": "Secondary"}]}, "published": "2023-03-29T20:15:07.393", "references": [{"source": "psirt@forgerock.com", "tags": ["Permissions Required"], "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"}, {"source": "psirt@forgerock.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"}], "sourceIdentifier": "psirt@forgerock.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "psirt@forgerock.com", "type": "Secondary"}]}