Insufficient Credential Protection in OpenText Identity Manager Advanced Edition
CVE-2024-12799
What is CVE-2024-12799?
CVE-2024-12799 is a significant vulnerability found in the OpenText Identity Manager Advanced Edition, a software designed to help organizations manage user identities and access control efficiently. This vulnerability arises from insufficient protection of credentials, which can lead to privilege abuse. An authenticated user could potentially exploit this flaw to access sensitive information belonging to higher privileged users, compromising data integrity and user confidentiality, and ultimately threatening the security posture of an organization.
Technical Details
The identified vulnerability affects versions of OpenText Identity Manager Advanced Edition ranging from 4.8.0.0 to 4.8.7.0102 and 4.9.0.0, across both Windows and Linux platforms. Due to insufficiently protected credentials, the vulnerability allows malicious users to craft specific payloads that could reveal sensitive information related to users with elevated privileges. This technical flaw highlights significant weaknesses in the software's credential management.
Potential Impact of CVE-2024-12799
-
Privilege Escalation: Users with lower privileges might gain unauthorized access to sensitive information and resources, leading to potential misuse of data and unauthorized actions within the organization.
-
Data Breach: The exploitation of this vulnerability could result in unauthorized disclosure of confidential information, affecting business operations and resulting in legal and reputational damages.
-
Compliance Risks: The vulnerability could lead to violations of data protection regulations, which may incur penalties and increase scrutiny from regulatory bodies, thus impacting the organization's compliance standing.
Affected Version(s)
Identity Manager Advanced Edition Windows 4.8.0.0 <= 4.8.7.0102
Identity Manager Advanced Edition Windows 4.8.0.0 <= 4.8.7.0102
Identity Manager Advanced Edition Windows 4.9.0.0
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved