cvelistv5 - CVE-2024-12799

CVE-2024-12799 (GCVE-0-2024-12799)

Vulnerability from cvelistv5 – Published: 2025-03-05 14:55 – Updated: 2025-03-05 16:21

Summary

Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64 bit allows Privilege Abuse. This vulnerability could allow an authenticated user to obtain higher privileged user’s sensitive information via crafted payload. This issue affects Identity Manager Advanced Edition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0.

Severity ?

10 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:H/U:Red

CWE

CWE-522 - Insufficiently Protected Credentials

Assigner

OpenText

References

URL

Tags

https://portal.microfocus.com/s/article/KM000037455

Impacted products

	Vendor	Product	Version
	OpenText	Identity Manager Advanced Edition	Affected: 4.8.0.0 , ≤ 4.8.7.0102 (rpm, exe) Affected: 4.9.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12799",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-05T16:21:13.192081Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-05T16:21:23.627Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "platforms": [
            "Windows",
            "Linux",
            "64 bit"
          ],
          "product": "Identity Manager Advanced Edition",
          "vendor": "OpenText",
          "versions": [
            {
              "lessThanOrEqual": "4.8.7.0102",
              "status": "affected",
              "version": "4.8.0.0",
              "versionType": "rpm, exe"
            },
            {
              "status": "affected",
              "version": "4.9.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cb\u003eInsufficiently Protected Credentials\nvulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux,\n64 bit allows Privilege Abuse. \u003c/b\u003e\u003cb\u003eThis vulnerability could allow an\nauthenticated user to obtain higher privileged user\u2019s sensitive information via\ncrafted payload.\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eThis issue affects Identity Manager Advanced\nEdition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0.\u003c/b\u003e\u003c/p\u003e"
            }
          ],
          "value": "Insufficiently Protected Credentials\nvulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux,\n64 bit allows Privilege Abuse. This vulnerability could allow an\nauthenticated user to obtain higher privileged user\u2019s sensitive information via\ncrafted payload.\n\nThis issue affects Identity Manager Advanced\nEdition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-122",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-122 Privilege Abuse"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "RED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:H/U:Red",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "HIGH"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-522",
              "description": "CWE-522 Insufficiently Protected Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-03-05T14:55:55.363Z",
        "orgId": "f81092c5-7f14-476d-80dc-24857f90be84",
        "shortName": "OpenText"
      },
      "references": [
        {
          "url": "https://portal.microfocus.com/s/article/KM000037455"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Insufficiently Protected Credentials",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84",
    "assignerShortName": "OpenText",
    "cveId": "CVE-2024-12799",
    "datePublished": "2025-03-05T14:55:55.363Z",
    "dateReserved": "2024-12-19T15:22:32.158Z",
    "dateUpdated": "2025-03-05T16:21:23.627Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-12799\",\"sourceIdentifier\":\"security@opentext.com\",\"published\":\"2025-03-05T15:15:13.127\",\"lastModified\":\"2025-03-05T15:15:13.127\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insufficiently Protected Credentials\\nvulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux,\\n64 bit allows Privilege Abuse. This vulnerability could allow an\\nauthenticated user to obtain higher privileged user\u2019s sensitive information via\\ncrafted payload.\\n\\nThis issue affects Identity Manager Advanced\\nEdition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de credenciales insuficientemente protegidas en OpenText Identity Manager Advanced Edition en Windows, Linux, 64 bits permite el abuso de privilegios. Esta vulnerabilidad podr\u00eda permitir que un usuario autenticado obtenga informaci\u00f3n confidencial de un usuario con mayores privilegios a trav\u00e9s de un payload manipulado. Este problema afecta a Identity Manager Advanced Edition: desde la versi\u00f3n 4.8.0.0 hasta la 4.8.7.0102, 4.9.0.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@opentext.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"PRESENT\",\"Automatable\":\"YES\",\"Recovery\":\"USER\",\"valueDensity\":\"CONCENTRATED\",\"vulnerabilityResponseEffort\":\"HIGH\",\"providerUrgency\":\"RED\"}}]},\"weaknesses\":[{\"source\":\"security@opentext.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]}],\"references\":[{\"url\":\"https://portal.microfocus.com/s/article/KM000037455\",\"source\":\"security@opentext.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-12799\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-05T16:21:13.192081Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-05T16:21:18.900Z\"}}], \"cna\": {\"title\": \"Insufficiently Protected Credentials\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-122\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-122 Privilege Abuse\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"PRESENT\", \"version\": \"4.0\", \"Recovery\": \"USER\", \"baseScore\": 10, \"Automatable\": \"YES\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"CONCENTRATED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:H/U:Red\", \"providerUrgency\": \"RED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"OpenText\", \"product\": \"Identity Manager Advanced Edition\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.8.0.0\", \"versionType\": \"rpm, exe\", \"lessThanOrEqual\": \"4.8.7.0102\"}, {\"status\": \"affected\", \"version\": \"4.9.0.0\"}], \"platforms\": [\"Windows\", \"Linux\", \"64 bit\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://portal.microfocus.com/s/article/KM000037455\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Insufficiently Protected Credentials\\nvulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux,\\n64 bit allows Privilege Abuse. This vulnerability could allow an\\nauthenticated user to obtain higher privileged user\\u2019s sensitive information via\\ncrafted payload.\\n\\nThis issue affects Identity Manager Advanced\\nEdition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003cb\u003eInsufficiently Protected Credentials\\nvulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux,\\n64 bit allows Privilege Abuse. \u003c/b\u003e\u003cb\u003eThis vulnerability could allow an\\nauthenticated user to obtain higher privileged user\\u2019s sensitive information via\\ncrafted payload.\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eThis issue affects Identity Manager Advanced\\nEdition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0.\u003c/b\u003e\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-522\", \"description\": \"CWE-522 Insufficiently Protected Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"f81092c5-7f14-476d-80dc-24857f90be84\", \"shortName\": \"OpenText\", \"dateUpdated\": \"2025-03-05T14:55:55.363Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-12799\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-05T16:21:23.627Z\", \"dateReserved\": \"2024-12-19T15:22:32.158Z\", \"assignerOrgId\": \"f81092c5-7f14-476d-80dc-24857f90be84\", \"datePublished\": \"2025-03-05T14:55:55.363Z\", \"assignerShortName\": \"OpenText\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-2MXM-3CXJ-6CMP

Vulnerability from github – Published: 2025-03-05 15:30 – Updated: 2025-03-05 15:30

Details

This issue affects Identity Manager Advanced Edition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0.

Severity ?

10.0 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:H/U:Red

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-12799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-05T15:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "Insufficiently Protected Credentials\nvulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux,\n64 bit allows Privilege Abuse. This vulnerability could allow an\nauthenticated user to obtain higher privileged user\u2019s sensitive information via\ncrafted payload.\n\nThis issue affects Identity Manager Advanced\nEdition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0.",
  "id": "GHSA-2mxm-3cxj-6cmp",
  "modified": "2025-03-05T15:30:57Z",
  "published": "2025-03-05T15:30:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12799"
    },
    {
      "type": "WEB",
      "url": "https://portal.microfocus.com/s/article/KM000037455"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

FKIE_CVE-2024-12799

Vulnerability from fkie_nvd - Published: 2025-03-05 15:15 - Updated: 2025-03-05 15:15

Severity ?

10.0 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:H/U:Red

Summary

References

	URL	Tags
	security@opentext.com	https://portal.microfocus.com/s/article/KM000037455

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Insufficiently Protected Credentials\nvulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux,\n64 bit allows Privilege Abuse. This vulnerability could allow an\nauthenticated user to obtain higher privileged user\u2019s sensitive information via\ncrafted payload.\n\nThis issue affects Identity Manager Advanced\nEdition: from 4.8.0.0 through 4.8.7.0102, 4.9.0.0."
    },
    {
      "lang": "es",
      "value": "La vulnerabilidad de credenciales insuficientemente protegidas en OpenText Identity Manager Advanced Edition en Windows, Linux, 64 bits permite el abuso de privilegios. Esta vulnerabilidad podr\u00eda permitir que un usuario autenticado obtenga informaci\u00f3n confidencial de un usuario con mayores privilegios a trav\u00e9s de un payload manipulado. Este problema afecta a Identity Manager Advanced Edition: desde la versi\u00f3n 4.8.0.0 hasta la 4.8.7.0102, 4.9.0.0."
    }
  ],
  "id": "CVE-2024-12799",
  "lastModified": "2025-03-05T15:15:13.127",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "YES",
          "Recovery": "USER",
          "Safety": "PRESENT",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 10.0,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "RED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "CONCENTRATED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:H/U:Red",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "HIGH"
        },
        "source": "security@opentext.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-03-05T15:15:13.127",
  "references": [
    {
      "source": "security@opentext.com",
      "url": "https://portal.microfocus.com/s/article/KM000037455"
    }
  ],
  "sourceIdentifier": "security@opentext.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-522"
        }
      ],
      "source": "security@opentext.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-12799 (GCVE-0-2024-12799)

GHSA-2MXM-3CXJ-6CMP

FKIE_CVE-2024-12799

Tags

Sightings

Nomenclature