Specterops

Name of the Vulnerable Software and Affected Versions: OneLogin AD Connector versions prior to 6.1.5 Description: An information disclosure issue exists via the "/api/adc/v4/configuration" endpoint. An attacker with access to a valid `directory token` can retrieve a plaintext response disclosing sensitive credentials, including an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant’s SSO IdP configuration. Recommendations: For versions prior to 6.1.5, update to version 6.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/adc/v4/configuration" endpoint until a patch is available. Avoid using improperly secured logs and ensure host registry keys are properly secured to prevent `directory token` disclosure.

Name of the Vulnerable Software and Affected Versions: OneLogin AD Connector versions prior to 6.1.5 Description: A cryptographic authentication bypass issue exists due to the exposure of a tenant’s SSO JWT signing key via the "/api/adc/v4/configuration" endpoint. An attacker with the signing key can craft valid JWT tokens to impersonate arbitrary users within a OneLogin tenant, allowing full unauthorized access across the victim’s SaaS environment. Recommendations: For versions prior to 6.1.5, update to version 6.1.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/adc/v4/configuration" endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: OneLogin AD Connector (affected versions not specified) Description: A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (`onelogin-adc-logs-production`) without validating bucket ownership. This allows an attacker who registers this unclaimed bucket to receive log files from other OneLogin tenants, potentially containing sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.