← back
CVE-2023-1656

When the LDAP connector is started with StartTLS configured, LDAP BIND credentials are transmitted insecurely, prior to establishing the TLS connection.

CVSS 7.5 HIGHEPSS 0.3%CWE-319
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 7.5EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
29 Mar 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
ForgeRock Inc. · OpenIDM and Java Remote Connector Server (RCS)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://backstage.forgerock.com/downloads/browse/idm/all/productId:idm-connectors/subProductId:ldap/minorVersion:1.5/version:1.5.20.14https://backstage.forgerock.com/knowledge/kb/article/a14149722