CVE-2022-24670 - Vulnerability Details - OpenCVE

An attacker can use the unrestricted LDAP queries to determine configuration entries

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Forgerock	Access Management

Configuration 1 [-]

OR	cpe:2.3:a:forgerock:access_management::::::::
	cpe:2.3:a:forgerock:access_management::::::::
	cpe:2.3:a:forgerock:access_management::::::::
	cpe:2.3:a:forgerock:access_management::::::::
	cpe:2.3:a:forgerock:access_management:6.5.1:::::::*
	cpe:2.3:a:forgerock:access_management:6.5.3:::::::*
	cpe:2.3:a:forgerock:access_management:6.5.4:::::::*
	cpe:2.3:a:forgerock:access_management:7.1.0:::::::*
	cpe:2.3:a:forgerock:access_management:7.1.1:::::::*

No data.

References

Link	Providers
https://backstage.forgerock.com/downloads/browse/am/featured
https://backstage.forgerock.com/knowledge/kb/article/a90639318

History

No history.

MITRE

Status: PUBLISHED

Assigner: ForgeRock

Published: 2022-10-27T16:53:00.019101Z

Updated: 2024-09-16T18:08:57.937Z

Reserved: 2022-02-08T00:00:00

Link: CVE-2022-24670

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-10-27T17:15:09.813

Modified: 2024-11-21T06:50:49.940

Link: CVE-2022-24670

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-24670", "assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "assignerShortName": "ForgeRock", "datePublished": "2022-10-27T16:53:00.019101Z", "dateUpdated": "2024-09-16T18:08:57.937Z", "dateReserved": "2022-02-08T00:00:00"}, "containers": {"cna": {"title": "Any user can run unrestricted LDAP queries against a configuration endpoint", "datePublic": "2022-10-20T00:00:00", "providerMetadata": {"orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "shortName": "ForgeRock", "dateUpdated": "2022-10-27T00:00:00"}, "descriptions": [{"lang": "en", "value": "An attacker can use the unrestricted LDAP queries to determine configuration entries"}], "affected": [{"vendor": "ForgeRock", "product": "Access Management", "versions": [{"version": "unspecified", "lessThan": "6.5.5", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThan": "7.1.2", "status": "affected", "versionType": "custom"}, {"version": "unspecified", "lessThan": "7.2.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"}, {"url": "https://backstage.forgerock.com/downloads/browse/am/featured"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-200 Information Exposure", "cweId": "CWE-200"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"advisory": "202204", "defect": ["https://bugster.forgerock.org/jira/browse/OPENAM-18368", "(not", "public)"], "discovery": "EXTERNAL"}, "solutions": [{"lang": "en", "value": "Upgrade to the latest versions."}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:20:49.154Z"}, "title": "CVE Program Container", "references": [{"url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318", "tags": ["x_transferred"]}, {"url": "https://backstage.forgerock.com/downloads/browse/am/featured", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "4162CDDD-B604-4B3C-AAA1-14D33FE1EF45", "versionEndIncluding": "6.0.0.7", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "6D9D6502-4993-46CE-9FDC-71808D76C416", "versionEndIncluding": "6.5.0.2", "versionStartIncluding": "6.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9AC242A-391E-463D-8C00-28CE22D6339E", "versionEndIncluding": "6.5.2.3", "versionStartIncluding": "6.5.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "D66C82CB-63C8-4A3C-AD19-08CD666F8C9D", "versionEndIncluding": "7.0.2", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:forgerock:access_management:6.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "E31AD7C7-9145-4EBC-A1A1-531B77BEFB0C", "vulnerable": true}, {"criteria": "cpe:2.3:a:forgerock:access_management:6.5.3:*:*:*:*:*:*:*", "matchCriteriaId": "F3D7F2DE-8E77-4268-9F8B-D95954A31140", "vulnerable": true}, {"criteria": "cpe:2.3:a:forgerock:access_management:6.5.4:*:*:*:*:*:*:*", "matchCriteriaId": "F4CB42E3-B330-4202-87A4-EC503D569C78", "vulnerable": true}, {"criteria": "cpe:2.3:a:forgerock:access_management:7.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9725E909-8707-402E-939B-EC6FA6FA0984", "vulnerable": true}, {"criteria": "cpe:2.3:a:forgerock:access_management:7.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "C5AEAE88-FA4F-4970-A5AB-A1FDBC2A447A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An attacker can use the unrestricted LDAP queries to determine configuration entries"}, {"lang": "es", "value": "Un atacante puede utilizar las consultas LDAP sin restricciones para determinar las entradas de configuraci\u00f3n."}], "id": "CVE-2022-24670", "lastModified": "2024-11-21T06:50:49.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "psirt@forgerock.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-27T17:15:09.813", "references": [{"source": "psirt@forgerock.com", "tags": ["Product"], "url": "https://backstage.forgerock.com/downloads/browse/am/featured"}, {"source": "psirt@forgerock.com", "tags": ["Vendor Advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://backstage.forgerock.com/downloads/browse/am/featured"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"}], "sourceIdentifier": "psirt@forgerock.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "psirt@forgerock.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}