PT-2021-4700 · Microsoft+1 · Windows+1

Maciej Grabiec

Published

2021-06-15

Updated

2022-07-12

CVE-2021-20488

CVSS v3.1

7.5

High

Vector

AV:N/C:H/PR:L/UI:N/A:H/S:U/AC:H/I:H

Name of the Vulnerable Software and Affected Versions IBM Security Identity Manager version 6.0.2

Description The issue is related to insufficient access controls in the Password Synchronization Plug-in of IBM Security Identity Manager, which could allow a remote attacker to gain unauthorized access to protected information. Specifically, an authenticated malicious user could change the passwords of other users in the Windows AD environment when the IBM Security Identity Manager Windows Password Synch Plug-in is deployed and configured.

Recommendations For IBM Security Identity Manager version 6.0.2, consider restricting access to the Windows Password Synch Plug-in to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the privileges of authenticated users to prevent them from changing passwords of other users in the Windows AD environment.

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-668

Related Identifiers

BDU:2021-05403

CVE-2021-20488

Affected Products

Ibm Security Identity Manager

Windows

PT-2021-4700 · Microsoft+1 · Windows+1

CVE-2021-20488

Weakness Enumeration

Related Identifiers

Affected Products

References · 7