Multiple Vulnerabilities in Symantec Identity Manager
Summary
This security advisory covers below vulnerabilities in Symantec Identity Manager
- Multiple Reflected Cross-Site Scripting in Identity Manager
- Response Splitting in Identity Manager
- Oracle LDAP Attribute Information Disclosure in Identity Manager
Affected Product(s)
| Identity Governance And Administration-Identity Manager | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2023-23949 | 14.3 CP3 14.4.1 14.4.2 |
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section) |
| Identity Governance And Administration-Identity Manager | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2023-23950 | 14.3 CP3 14.4.1 14.4.2 |
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section) |
| Identity Governance And Administration-Identity Manager | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2023-23951 | 14.3 CP3 14.4.1 14.4.2 |
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section) |
Issue Details
| CVE-2023-23949 | |
| Severity / CVSS v3.1: | High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) |
| References: | NVD: CVE-2023-23949 |
| Impact: | Multiple Reflected Cross-Site Scripting |
| Description: | An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser |
| CVE-2023-23950 | |
| Severity / CVSS v3.1: | High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) |
| References: | NVD: CVE-2023-23950 |
| Impact: | Response Splitting |
| Description: | User’s supplied input (usually a CRLF sequence) can be used to split a returning response into two responses |
| CVE-2023-23951 | |
| Severity / CVSS v3.0: | Medium / 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) |
| References: | NVD: CVE-2023-23951 |
| Impact: | Oracle LDAP Attribute Information Disclosure |
| Description: | Ability to enumerate the Oracle LDAP attributes for the current user by modifying the query used by the application |
Acknowledgements
- CVE-2023-23949: Christopher Vella of CyberCX
- CVE-2023-23950: Christopher Vella of CyberCX
- CVE-2023-23951: Christopher Vella of CyberCX
References
IGA 14.4:
-
- Non-vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-4/Release-Notes/Hotfixes.html
- vApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-4/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html
IGA 14.3:
-
- Non-Vapp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Hotfixes.html
- VApp: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/release-notes/Virtual-Appliance-Release-Notes/Hotfixes.html
Revisions
2023-1-20 Initial public release