Man-in-the-Middle (MitM) attack in One Identity Cloud Access Manager
Published: 2019-07-29 | Updated: 2019-11-05
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-13498 |
| CWE-ID | CWE-300 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
Cloud Access Manager Other software / Other software solutions |
| Vendor | One Identity |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Man-in-the-Middle (MitM) attack
EUVDB-ID: #VU22528
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2019-13498
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
Description
The vulnerability allows a remote attacker to perform a man-in-the-middle (MitM) attack.
The vulnerability exists due to the affected software does not use HTTP Strict Transport Security (HSTS). A remote attacker can perform perform a man-in-the-middle attack, steal credentials and manipulate content.
Mitigation
Install updates from vendor's website.
Vulnerable software versionsCloud Access Manager: 8.1.3
CPE2.3 External links
http://github.com/FurqanKhan1/CVE-2019-13498
http://support.oneidentity.com/technical-documents/cloud-access-manager/8.1.4/release-notes#TOPIC-1028731
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
