Vulnerability Description
In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sensitive information upon a request by the "anonymous" user, as demonstrated by responses with a 200 HTTP status code and a JSON object containing IP address strings. This is related to a missing access-control check in bin/defaults/script/info/login.js.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openidm Project | Openidm | <= 4.0.0 |
Related Weaknesses (CWE)
References
- http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-ExploitThird Party Advisory
- https://backstage.forgerock.com/knowledge/kb/article/a92936505MitigationThird Party Advisory
- http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-ExploitThird Party Advisory
- https://backstage.forgerock.com/knowledge/kb/article/a92936505MitigationThird Party Advisory
FAQ
What is CVE-2017-7589?
CVE-2017-7589 is a vulnerability with a CVSS score of 6.5 (MEDIUM). In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sensitive information upon a request by the "anonymous" user, as demonstrated by responses with a 200 HTTP status code and a JSON obje...
How severe is CVE-2017-7589?
CVE-2017-7589 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-7589?
Check the references section above for vendor advisories and patch information. Affected products include: Openidm Project Openidm.