#VU34162 Improper Privilege Management in Identity Manager - CVE-2020-11849

Cybersecurity Help s.r.o.

Published: 2020-07-08 | Updated: 2020-08-08

Vulnerability identifier: #VU34162

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2020-11849

CWE-ID: CWE-269

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Identity Manager
Server applications / Remote management servers, RDP, SSH

Vendor: Oracle

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Elevation of privilege and/or unauthorized access vulnerability in Micro Focus Identity Manager. Affecting versions prior to 4.7.3 and 4.8.1 hot fix 1. The vulnerability could allow information exposure that can result in an elevation of privilege or an unauthorized access.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Identity Manager: 4.7.4 - 4.8.1

External links
https://www.netiq.com/documentation/identity-manager-47/releasenotes_idm4741_apps/data/releasenotes_idm4741_apps.html
https://www.netiq.com/documentation/identity-manager-48/releasenotes_idm4811_apps/data/releasenotes_idm4811_apps.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Privilege Management in Oracle Identity Manager