Vulnerability CVE-2024-12799 - Russian Vulnerability Scanner Database

Description

Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64 bit allows Privilege Abuse. This vulnerability could allow an authenticated user to obtain higher privileged user’s sensitive information via crafted payload. This issue affects Identity Manager Advanced Edition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0.

Tags · CWE

Pre-auth

CWE-522

CAPEC-50

CAPEC-102

CAPEC-474

CAPEC-509

CAPEC-551

CAPEC-555

CAPEC-560

CAPEC-561

CAPEC-600

CAPEC-644

CAPEC-645

CAPEC-652

CAPEC-653

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red

Timeline

2024-01-01

Published

2024-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Attack Requirements

AT: N

None

Privileges Required

PR: N

None (N)

User Interaction

UI: N

None (N)

Vulnerable System Confidentiality

VC: H

High (H)

Vulnerable System Integrity

VI: H

High (H)

Vulnerable System Availability

VA: H

High (H)

Subsequent System Confidentiality

SC: H

High (H)

Subsequent System Integrity

SI: H

High (H)

Subsequent System Availability

SA: H

High (H)

Exploit Code Maturity

E: X

Not Defined

Confidentiality Requirement

CR: X

Not Defined

Integrity Requirement

IR: X

Not Defined

Availability Requirement

AR: X

Not Defined

Modified Attack Vector

MAV: X

Not Defined

Modified Attack Complexity

MAC: X

Not Defined

Modified Attack Requirements

MAT: X

Not Defined

Modified Privileges Required

MPR: X

Not Defined

Modified User Interaction

MUI: X

Not Defined

Modified Vulnerable System Confidentiality

MVC: X

Not Defined

Modified Vulnerable System Integrity

MVI: X

Not Defined

Modified Vulnerable System Availability

MVA: X

Not Defined

Modified Subsequent System Confidentiality

MSC: X

Not Defined

Modified Subsequent System Integrity

MSI: X

Not Defined

Modified Subsequent System Availability

MSA: X

Not Defined

s

S: P

P

au

AU: Y

Y

r

R: U

U

v

V: C

C

re

RE: H

H

u

U: Red

Red

Exploit indicators

EPSS

0.002 · p40

Known exploited (KEV)

No

MITRE ATT&CK

Inferred via CAPEC

T1021Remote Services

└ via CAPEC-555 · CWE-522

T1021.002SMB/Windows Admin Shares

└ via CAPEC-561 · CWE-522

T1078Valid Accounts

└ via CAPEC-560 · CWE-522

T1110.004Credential Stuffing

└ via CAPEC-600 · CWE-522

T1114.002Remote Email Collection

└ via CAPEC-555 · CWE-522

T1133External Remote Services

└ via CAPEC-555 · CWE-522

T1543Create or Modify System Process

└ via CAPEC-551 · CWE-522

T1550.002Pass the Hash

└ via CAPEC-644 · CWE-522

T1550.003Pass the Ticket

└ via CAPEC-645 · CWE-522

T1552.004Private Keys

└ via CAPEC-474 · CWE-522

T1558Steal or Forge Kerberos Tickets

└ via CAPEC-652 · CWE-522

T1558.003Kerberoasting

└ via CAPEC-509 · CWE-522

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

No vulnerabilities match your filters.

Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64 bit allows Privilege…