Multiple Vulnerabilities in Symantec Identity Manager

CA Identity Governance

3 more products

21174

25 January 2023

20 January 2023

CLOSED

HIGH

8.1

Summary

This security advisory covers below vulnerabilities in Symantec Identity Manager

  • Multiple Reflected Cross-Site Scripting in Identity Manager
  • Response Splitting in Identity Manager
  • Oracle LDAP Attribute Information Disclosure in Identity Manager

Affected Product(s)

Identity Governance And Administration-Identity Manager
CVE Supported Version(s) Remediation
CVE-2023-23949 14.3 CP3
14.4.1
14.4.2
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section)

 

Identity Governance And Administration-Identity Manager
CVE Supported Version(s) Remediation
CVE-2023-23950 14.3 CP3
14.4.1
14.4.2
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section)

 

Identity Governance And Administration-Identity Manager
CVE Supported Version(s) Remediation
CVE-2023-23951 14.3 CP3
14.4.1
14.4.2
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section)

Issue Details

CVE-2023-23949
Severity / CVSS v3.1: High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
References: NVD: CVE-2023-23949
Impact: Multiple Reflected Cross-Site Scripting
Description: An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser

 

CVE-2023-23950
Severity / CVSS v3.1: High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
References: NVD: CVE-2023-23950
Impact: Response Splitting
Description: User’s supplied input (usually a CRLF sequence) can be used to split a returning response into two responses

 

CVE-2023-23951
Severity / CVSS v3.0: Medium / 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
References: NVD: CVE-2023-23951
Impact: Oracle LDAP Attribute Information Disclosure
Description: Ability to enumerate the Oracle LDAP attributes for the current user by modifying the query used by the application

 

Acknowledgements

  • CVE-2023-23949: Christopher Vella of CyberCX
  • CVE-2023-23950: Christopher Vella of CyberCX
  • CVE-2023-23951: Christopher Vella of CyberCX

References

IGA 14.4:

IGA 14.3:

Revisions

2023-1-20 Initial public release