CVE-2023-1656 - Vulnerability Details - OpenCVE

Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Forgerock	Ldap Connector

Configuration 1 [-]

cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14
https://backstage.forgerock.com/knowledge/kb/article/a14149722

History

Wed, 12 Feb 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: ForgeRock

Published: 2023-03-29T19:55:13.974Z

Updated: 2025-02-12T15:03:41.519Z

Reserved: 2023-03-27T14:07:18.820Z

Link: CVE-2023-1656

Vulnrichment

Updated: 2024-08-02T05:57:24.650Z

NVD

Status : Modified

Published: 2023-03-29T20:15:07.393

Modified: 2024-11-21T07:39:38.257

Link: CVE-2023-1656

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-1656", "assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "state": "PUBLISHED", "assignerShortName": "ForgeRock", "dateReserved": "2023-03-27T14:07:18.820Z", "datePublished": "2023-03-29T19:55:13.974Z", "dateUpdated": "2025-02-12T15:03:41.519Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "LDAP Connector", "platforms": ["Windows", "MacOS", "Linux"], "product": "OpenIDM and Java Remote Connector Server (RCS)", "vendor": "ForgeRock Inc.", "versions": [{"lessThanOrEqual": "1.5.20.13", "status": "affected", "version": "1.5.20.9", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.<p>This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.</p>"}], "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\n\n"}], "impacts": [{"capecId": "CAPEC-555", "descriptions": [{"lang": "en", "value": "CAPEC-555 Remote Services with Stolen Credentials"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "shortName": "ForgeRock", "dateUpdated": "2023-03-29T19:55:21.060Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"}, {"tags": ["product"], "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to LDAP connector version 1.5.20.14 or later"}], "value": "Upgrade to LDAP connector version 1.5.20.14 or later"}], "source": {"advisory": "202303", "discovery": "EXTERNAL"}, "title": "When the LDAP connector is started with StartTLS configured, LDAP BIND credentials are transmitted insecurely, prior to establishing the TLS connection. ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:57:24.650Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"}, {"tags": ["product", "x_transferred"], "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-12T15:03:32.619480Z", "id": "CVE-2023-1656", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T15:03:41.519Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14", "tags": ["product", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:57:24.650Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-1656", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-12T15:03:32.619480Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T15:02:30.398Z"}}], "cna": {"title": "When the LDAP connector is started with StartTLS configured, LDAP BIND credentials are transmitted insecurely, prior to establishing the TLS connection. ", "source": {"advisory": "202303", "discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-555", "descriptions": [{"lang": "en", "value": "CAPEC-555 Remote Services with Stolen Credentials"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ForgeRock Inc.", "product": "OpenIDM and Java Remote Connector Server (RCS)", "versions": [{"status": "affected", "version": "1.5.20.9", "versionType": "custom", "lessThanOrEqual": "1.5.20.13"}], "platforms": ["Windows", "MacOS", "Linux"], "packageName": "LDAP Connector", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to LDAP connector version 1.5.20.14 or later", "supportingMedia": [{"type": "text/html", "value": "Upgrade to LDAP connector version 1.5.20.14 or later", "base64": false}]}], "references": [{"url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722", "tags": ["vendor-advisory"]}, {"url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\n\n", "supportingMedia": [{"type": "text/html", "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.<p>This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "shortName": "ForgeRock", "dateUpdated": "2023-03-29T19:55:21.060Z"}}}, "cveMetadata": {"cveId": "CVE-2023-1656", "state": "PUBLISHED", "dateUpdated": "2025-02-12T15:03:41.519Z", "dateReserved": "2023-03-27T14:07:18.820Z", "assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa", "datePublished": "2023-03-29T19:55:13.974Z", "assignerShortName": "ForgeRock"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6C49376-B78D-4BCF-A2A3-710F066094AF", "versionEndExcluding": "1.5.20.14", "versionStartIncluding": "1.5.20.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\n\n"}], "id": "CVE-2023-1656", "lastModified": "2024-11-21T07:39:38.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "psirt@forgerock.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-29T20:15:07.393", "references": [{"source": "psirt@forgerock.com", "tags": ["Permissions Required"], "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"}, {"source": "psirt@forgerock.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"}], "sourceIdentifier": "psirt@forgerock.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "psirt@forgerock.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}]}