SB2019110633 - Multiple vulnerabilities in One Identity Cloud Access Manager
Published: November 6, 2019
Security Bulletin ID
SB2019110633
Severity
High
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2019-13497)
The vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin in logout requests. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.
2) Improper validation of integrity check value (CVE-ID: CVE-2019-13496)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to the affected software does not validate or incorrectly validates the integrity check values. A remote attacker can perform a man-in-the-middle (MitM) attack, bypass OTP, replace a failed SAML response with a successful SAML response and gain access to the application.
Remediation
Install update from vendor's website.