Lucene search

ForgeRockCVELIST:CVE-2022-24670

HistoryOct 20, 2022 - 12:00 a.m.

CVE-2022-24670 Any user can run unrestricted LDAP queries against a configuration endpoint

2022-10-2000:00:00

CWE-200

ForgeRock

www.cve.org

ldap queries

unauthorized access

configuration endpoint

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

An attacker can use the unrestricted LDAP queries to determine configuration entries

CNA Affected

[
  {
    "vendor": "ForgeRock",
    "product": "Access Management",
    "versions": [
      {
        "version": "unspecified",
        "lessThan": "6.5.5",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "7.1.2",
        "status": "affected",
        "versionType": "custom"
      },
      {
        "version": "unspecified",
        "lessThan": "7.2.0",
        "status": "affected",
        "versionType": "custom"
      }
    ]
  }
]

References

backstage.forgerock.com/downloads/browse/am/featured

backstage.forgerock.com/knowledge/kb/article/a90639318

CVSS3

7.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

28.4%

JSON

Related for CVELIST:CVE-2022-24670