Multiple vulnerabilities in Identity Manager

1) Input validation error

EUVDB-ID: #VU75561

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2023-20860

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an input validation error caused by using the wildcard ("**") as a pattern in Spring Security configuration with the mvcRequestMatcher, which creates a mismatch in pattern matching between Spring Security and Spring MVC. A remote attacker can bypass certain security restrictions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Identity Manager: 12.2.1.4.0

Fixed software versions

CPE2.3

• cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*

External links

http://www.oracle.com/security-alerts/cpujul2023.html?61476

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Allocation of Resources Without Limits or Throttling

EUVDB-ID: #VU72427

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2023-24998

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Apache Commons FileUpload does not limit the number of request parts. A remote attacker can initiate a series of uploads and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Identity Manager: 12.2.1.4.0

Fixed software versions

CPE2.3

• cpe:2.3:a:oracle:identity_manager:12.2.1.4.0:*:*:*:*:*:*:*

External links

http://www.oracle.com/security-alerts/cpujul2023.html?61476

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?