Security restrictions bypass in IBM Security Access Manager

Published: 2018-03-07 16:11:13 | Updated: 2018-03-07 16:18:09
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-1443
Exploitation vector Network
Public exploit Not available
Vulnerable software Security Access Manager
Vulnerable software versions Security Access Manager 9.0.4
Security Access Manager 9.0.3
Security Access Manager 9.0.2
Security Access Manager 9.0.1
Security Access Manager 9.0.0
Vendor URL IBM Corporation

Security Advisory

1) XXE attack


The vulnerability allows a remote authenticated attacker to perform XXE attack and bypass security restrictions.

The vulnerability exists in SAML-based single sign-on (SSO) systems due to improper handling of XML External Entity (XXE) entries when parsing an XML file. A remote attacker can trick SAML systems into authenticating as a different user without knowledge of the victim users password and bypass security restrictions to perform further attacks.


Install update from vendor's website.

External links

Back to List