CVE-2022-23855

Name of the Vulnerable Software and Affected Versions Saviynt Enterprise Identity Cloud (EIC) version 5.5 SP2.x

Description An issue was discovered that allows an authentication bypass. Specifically, the endpoint /ECM/maintenance/forgotpasswordstep1 is vulnerable, enabling an unauthenticated user to reset passwords and login as any local account.

Recommendations For version 5.5 SP2.x, consider restricting access to the /ECM/maintenance/forgotpasswordstep1 endpoint until a patch is available. As a temporary workaround, disabling the password reset functionality for local accounts may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.