CVE-2023-1656 (GCVE-0-2023-1656)
Vulnerability from cvelistv5
Published
2023-03-29 19:55
Modified
2025-04-14 17:04
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
  • CWE-319 - Cleartext Transmission of Sensitive Information
Summary
Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.
References
psirt@forgerock.comhttps://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14Permissions Required
psirt@forgerock.comhttps://backstage.forgerock.com/knowledge/kb/article/a14149722Mitigation, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14Permissions Required
af854a3a-2127-422b-91ae-364da2661108https://backstage.forgerock.com/knowledge/kb/article/a14149722Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) Version: 1.5.20.9   <
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T05:57:24.650Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"
          },
          {
            "tags": [
              "product",
              "x_transferred"
            ],
            "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-1656",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-12T15:03:32.619480Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T15:03:41.519Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageName": "LDAP Connector",
          "platforms": [
            "Windows",
            "MacOS",
            "Linux"
          ],
          "product": "OpenIDM and Java Remote Connector Server (RCS)",
          "vendor": "ForgeRock Inc.",
          "versions": [
            {
              "lessThanOrEqual": "1.5.20.13",
              "status": "affected",
              "version": "1.5.20.9",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.\u003cp\u003eThis issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\u003c/p\u003e"
            }
          ],
          "value": "Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-555",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-555 Remote Services with Stolen Credentials"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-319",
              "description": "CWE-319 Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-14T17:04:02.162Z",
        "orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa",
        "shortName": "ForgeRock"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://backstage.forgerock.com/knowledge/kb/article/a14149722"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Upgrade to LDAP connector version 1.5.20.14 or later"
            }
          ],
          "value": "Upgrade to LDAP connector version 1.5.20.14 or later"
        }
      ],
      "source": {
        "advisory": "202303",
        "discovery": "EXTERNAL"
      },
      "title": "When the LDAP connector is started with StartTLS configured, LDAP BIND credentials are transmitted insecurely, prior to establishing the TLS connection.",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa",
    "assignerShortName": "ForgeRock",
    "cveId": "CVE-2023-1656",
    "datePublished": "2023-03-29T19:55:13.974Z",
    "dateReserved": "2023-03-27T14:07:18.820Z",
    "dateUpdated": "2025-04-14T17:04:02.162Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-1656\",\"sourceIdentifier\":\"psirt@forgerock.com\",\"published\":\"2023-03-29T20:15:07.393\",\"lastModified\":\"2025-04-14T17:15:26.507\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@forgerock.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"psirt@forgerock.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-319\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:forgerock:ldap_connector:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.5.20.9\",\"versionEndExcluding\":\"1.5.20.14\",\"matchCriteriaId\":\"C6C49376-B78D-4BCF-A2A3-710F066094AF\"}]}]}],\"references\":[{\"url\":\"https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14\",\"source\":\"psirt@forgerock.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://backstage.forgerock.com/knowledge/kb/article/a14149722\",\"source\":\"psirt@forgerock.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://backstage.forgerock.com/knowledge/kb/article/a14149722\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://backstage.forgerock.com/knowledge/kb/article/a14149722\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14\", \"tags\": [\"product\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T05:57:24.650Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-1656\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-12T15:03:32.619480Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T15:02:30.398Z\"}}], \"cna\": {\"title\": \"When the LDAP connector is started with StartTLS configured, LDAP BIND credentials are transmitted insecurely, prior to establishing the TLS connection.\", \"source\": {\"advisory\": \"202303\", \"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"capecId\": \"CAPEC-555\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-555 Remote Services with Stolen Credentials\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"ForgeRock Inc.\", \"product\": \"OpenIDM and Java Remote Connector Server (RCS)\", \"versions\": [{\"status\": \"affected\", \"version\": \"1.5.20.9\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"1.5.20.13\"}], \"platforms\": [\"Windows\", \"MacOS\", \"Linux\"], \"packageName\": \"LDAP Connector\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Upgrade to LDAP connector version 1.5.20.14 or later\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Upgrade to LDAP connector version 1.5.20.14 or later\", \"base64\": false}]}], \"references\": [{\"url\": \"https://backstage.forgerock.com/knowledge/kb/article/a14149722\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14\", \"tags\": [\"product\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.\u003cp\u003eThis issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-319\", \"description\": \"CWE-319 Cleartext Transmission of Sensitive Information\"}]}], \"providerMetadata\": {\"orgId\": \"6b18ae97-0aab-4af2-9ba4-74b2b139ddfa\", \"shortName\": \"ForgeRock\", \"dateUpdated\": \"2025-04-14T17:04:02.162Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-1656\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-14T17:04:02.162Z\", \"dateReserved\": \"2023-03-27T14:07:18.820Z\", \"assignerOrgId\": \"6b18ae97-0aab-4af2-9ba4-74b2b139ddfa\", \"datePublished\": \"2023-03-29T19:55:13.974Z\", \"assignerShortName\": \"ForgeRock\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.