search cancel

Multiple Vulnerabilities in Symantec Identity Manager: CVE-2023-23949, CVE-2023-23950, CVE-2023-23951

book

Article ID: 258208

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

Summary

This security advisory covers below vulnerabilities in Symantec Identity Manager

  • Multiple Reflected Cross-Site Scripting in Identity Manager
  • Response Splitting in Identity Manager
  • Oracle LDAP Attribute Information Disclosure in Identity Manager

Affected Product(s)

Identity Governance And Administration-Identity Manager
CVE Supported Version(s) Remediation
CVE-2023-23949 14.3 CP3
14.4.1
14.4.2
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section)

 

Identity Governance And Administration-Identity Manager
CVE Supported Version(s) Remediation
CVE-2023-23950 14.3 CP3
14.4.1
14.4.2
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section)

 

Identity Governance And Administration-Identity Manager
CVE Supported Version(s) Remediation
CVE-2023-23951 14.3 CP3
14.4.1
14.4.2
Customers who are on 14.3 CP3,14.4 CP1(CHF2) and 14.4 CP2 can apply the hotfixes (link in the 'References' section)

Issue Details

CVE-2023-23949
Severity / CVSS v3.1: High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
References: NVD: CVE-2023-23949
Impact: Multiple Reflected Cross-Site Scripting
Description: An authenticated user can supply malicious HTML and JavaScript code that will be executed in the client browser

 

CVE-2023-23950
Severity / CVSS v3.1: High / 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
References: NVD: CVE-2023-23950
Impact: Response Splitting
Description: User’s supplied input (usually a CRLF sequence) can be used to split a returning response into two responses

 

CVE-2023-23951
Severity / CVSS v3.0: {Critical/High/Medium/Low} / X.X [CVSS Vector]
References: NVD: CVE-2023-23951
Impact: Oracle LDAP Attribute Information Disclosure
Description: Ability to enumerate the Oracle LDAP attributes for the current user by modifying the query used by the application

 

Resolution

The vulnerabilities can be remediated by applying the below hotfixes:

IGA 14.4:

IGA 14.3: