Improper Privilege Management in Oracle Identity Manager
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-11849 |
| CWE-ID | CWE-269 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Identity Manager Server applications / Remote management servers, RDP, SSH |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper Privilege Management
EUVDB-ID: #VU34162
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-11849
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Elevation of privilege and/or unauthorized access vulnerability in Micro Focus Identity Manager. Affecting versions prior to 4.7.3 and 4.8.1 hot fix 1. The vulnerability could allow information exposure that can result in an elevation of privilege or an unauthorized access.
MitigationInstall update from vendor's website.
Vulnerable software versionsIdentity Manager: 4.7.4 - 4.8.1
CPE2.3- cpe:2.3:a:oracle:oracle_identity_manager:4.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_identity_manager:4.8.1:*:*:*:*:*:*:*
https://www.netiq.com/documentation/identity-manager-47/releasenotes_idm4741_apps/data/releasenotes_idm4741_apps.html
https://www.netiq.com/documentation/identity-manager-48/releasenotes_idm4811_apps/data/releasenotes_idm4811_apps.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
