CA Identity Manager 14.x
CA Identity Suite 14.x
1. Library: /iam/im/app/page/nimsmintegration/api-docs/swaggerui.js:
Vulnerability Details: Swagger-UI prior to 2.2.1 has Cross-site Scripting (XSS) via the Default field in the Definitions section.
Identity Manager (IM) Justification: Since the "Default field" is not exposed via IM-NIM integration, this vulnerability is NOT EXPLOITABLE through IM application.
2. Library: /iam/im/app/page/nimsmintegration/api-docs/lib/jquery1.8.0.min.js:
Identity Manager (IM) Justification: As part of IM and NIM integration, IM doesn't allow users to perform cross-domain Ajax requests. Hence, this vulnerability is not exploitable through IM.
Vulnerability Details: XSS vulnerability is possible in jQuery before 1.6.3, when using location.hash to select elements, that allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Identity Governance (IG) Justification: Identity Governance (IG) doesn’t use jquery-1.5.2.min.js library directly.
• IG uses Wicket framework and Wicket framework in turn uses wicket integration with JQuery (WIQuery) library. Wicket framework references the mentioned jquery version.
• IG application doesn’t use location.hash to select page elements, hence IG application is not exploitable with this vulnerability.
Updating JQuery to the latest version is a continued effort. As none of these vulnerabilities are exploitable, Broadcom is gradually remediating these libraries with each new major release. Example: (14.4 updated some of the JQuery files but not all of them. The next time this will be updated will be with 14.5.) Due to the complexity of some of these implementations, some may take longer than others to be updated.