One of the customers reported that <JBoss_home>standalone/deployments/iam_im.ear/management_console.war/WEB-INF/lib/struts2-core-2.5.31.jar is vulnerable. This was reported for IM14.4 as well.

IDM 14.5

Vulnerability

If we are referring to the vulnerability CVE-2023-50164? if yes, we are not impacted by this one. As per this vulnerability, when any application uses the struts parameter uploadFileName then attackers can potentially cause directory traversal using the FileUploadInterceptor class. Identity Manager is not using this parameter so this is not affected with CVE-2023-50164.

However, we are in the process of upgrading the Struts version to 2.5.33 in the upcoming release 14.5.1.

Reference# DE591649

Now, the IM 14.5.1 is available to download.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-5/Release-Notes/service-packs/service-pack-14-5-1.html