CA Identity Manager Bulk Loader Security Flaw
search cancel

CA Identity Manager Bulk Loader Security Flaw

book

Article ID: 277556

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

While using a Bulk Loader task to execute any "Modify-User" type of task, there are no limits in which attribute can be modified. The Bulk Loader task does not pass through screen validation. Therefore, password, state, or any other user attribute can be modified even though it is NOT present in the screen of the used "Modify-User" task or if it is present but set as Read-Only.
 
 
 
 
 

Environment

IDM 14.4 and later

Cause

 
This represents a flawed design and above all a substantial risk for the clients using Bulk Client (which requires Bulk Loader task to have WebServices enabled - hence accessible by TEWS as well).

Resolution

By default, the feature will be enabled and this is going to be updated in the documentation to reflect this.

The Upcoming  IDM release 14.5.1 will have these code changes.

Additional Information

Reference Defect#DE580756

Powered by Wolken Software