CA Identity Manager Bulk Loader Security Flaw
search cancel

CA Identity Manager Bulk Loader Security Flaw


Article ID: 277556


Updated On:


CA Identity Manager


While using a Bulk Loader task to execute any "Modify-User" type of task, there are no limits in which attribute can be modified. The Bulk Loader task does not pass through screen validation. Therefore, password, state, or any other user attribute can be modified even though it is NOT present in the screen of the used "Modify-User" task or if it is present but set as Read-Only.


IDM 14.4 and later


This represents a flawed design and above all a substantial risk for the clients using Bulk Client (which requires Bulk Loader task to have WebServices enabled - hence accessible by TEWS as well).


If wanting to avoid this risk, the only possible workaround is to implement PX/BLTH on ALL tasks accessible through Bulk Loader and in the scope of the users with permission to use Bulk Loader tasks. PX/BLTH should not be used to bypass product security flaws.
Code changes have been made to improve the Bulk Loader task with validation.

Additional Information

Reference Defect#DE580756