Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-25626: Support Content Notification - Support Portal - Broadcom support portal

An unauthenticated user can access Identity Manager’s management console specific page URLs. However, the system doesn’t allow the user to carry out server side tasks without a valid web session.

CVE
Open in Source
#vulnerability#web#auth

Multiple Vulnerabilities in Symantec Identity Manager 14.4

Product/Component

CA Identity Governance

3 more products

List of Products

4 Products

  • CA Identity Governance
  • CA Identity Manager
  • CA Identity Portal
  • CA Identity Suite

Notification Id

21136

Last Updated

16 December 2022

Initial Publication Date

16 December 2022

Status

CLOSED

Severity

HIGH

CVSS Base Score

8.6

Summary

Symantec has released an update to address below issues that were discovered in Symantec Identity Manager 14.4:

  • Authentication Bypass of Management Console in Symantec Identity Manager 14.4
  • Remote Command Execution (RCE) on Management Console in Symantec Identity Manager 14.4
  • XML eXternal Entity injection (XXE) on Management Console in Symantec Identity Manager 14.4

Affected Product(s)

Identity Governance And Administration-Identity Manager

CVE

Supported Version(s)

Remediation

CVE-2022-25626
CVE-2022-25627
CVE-2022-25628

14.3
14.4

  • Customers who are on 14.3 CP3 or 14.4 CP1 can apply the hotfix (link in the ‘References’ section)
  • 14.4 CP2 already contains the remediation for this vulnerability

Issue Details

CVE-2022-25626

Severity / CVSS v3.0:

High/8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H)

References:

NVD: CVE-2022-25626

Impact:

Authentication Bypass

Description:

An unauthenticated user can access Identity Manager’s management console specific page URLs. However, the system doesn’t allow the user to carry out server side tasks without a valid web session.

CVE-2022-25627

Severity / CVSS v3.0:

High/7.2 (AV:H/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:L)

References:

NVD: CVE-2022-25627

Impact:

Remote Command Execution (RCE)

Description:

An authenticated administrator who has physical access to the environment can carry out Remote Command Execution on Management Console in Symantec Identity Manager 14.4

CVE-2022-25628

Severity / CVSS v3.0:

Low/3.1(AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N)

References:

NVD: CVE-2022-25628

Impact:

XML eXternal Entity injection (XXE)

Description:

An authenticated user can perform XML eXternal Entity injection in Management Console in Symantec Identity Manager 14.4

Acknowledgements

  • CVE-2022-25626: Hugo Boutinon & Undr of AXA Group Security
  • CVE-2022-25627: Hugo Boutinon & Undr of AXA Group Security
  • CVE-2022-25628: Hugo Boutinon & Undr of AXA Group Security

References

IGA 14.4:

  • Non-vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/Release-Notes/Hotfixes.html
  • vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html

IGA 14.3:

  • Non-vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Hotfixes.html
  • vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html

Revisions

2022-12-16 Initial public release

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE