CVE-2017-7589
Last modified
CVE-2017-7589 is a vulnerability of currently unknown severity. In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sensitive information upon a request by the "anonymous" user, as demonstrated by responses with a 200 HTTP status code and a JSON object containing IP address strings. This is related to a missing access-control check in bin/defaults/script/info/login.js.. EPSS estimates a 1.02% chance of exploitation in the next 30 days.
Description
In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sensitive information upon a request by the "anonymous" user, as demonstrated by responses with a 200 HTTP status code and a JSON object containing IP address strings. This is related to a missing access-control check in bin/defaults/script/info/login.js.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openidm Project | Openidm | <= 4.0.0 |
| Openidm Project | Openidm | 4.5.0 |
References
- http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/Exploit, Third Party Advisory
- https://backstage.forgerock.com/knowledge/kb/article/a92936505Mitigation, Third Party Advisory
- http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/Exploit, Third Party Advisory
- https://backstage.forgerock.com/knowledge/kb/article/a92936505Mitigation, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-7589?
How severe is CVE-2017-7589?
How do I fix CVE-2017-7589?
Are you affected by CVE-2017-7589?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST