CVE-2017-7589 - Vulnerability Details - OpenCVE

In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sensitive information upon a request by the "anonymous" user, as demonstrated by responses with a 200 HTTP status code and a JSON object containing IP address strings. This is related to a missing access-control check in bin/defaults/script/info/login.js.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Openidm Project	Openidm

Configuration 1 [-]

OR	cpe:2.3:a:openidm_project:openidm::::::::
	cpe:2.3:a:openidm_project:openidm:4.5.0:::::::*

No data.

References

Link	Providers
http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/
https://backstage.forgerock.com/knowledge/kb/article/a92936505

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-04-09T01:32:00Z

Updated: 2024-09-16T16:43:39.268Z

Reserved: 2017-04-08T00:00:00Z

Link: CVE-2017-7589

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-04-09T01:59:00.183

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-7589

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sensitive information upon a request by the \"anonymous\" user, as demonstrated by responses with a 200 HTTP status code and a JSON object containing IP address strings. This is related to a missing access-control check in bin/defaults/script/info/login.js."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-04-09T01:32:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a92936505"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2017-7589", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sensitive information upon a request by the \"anonymous\" user, as demonstrated by responses with a 200 HTTP status code and a JSON object containing IP address strings. This is related to a missing access-control check in bin/defaults/script/info/login.js."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/", "refsource": "MISC", "url": "http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/"}, {"name": "https://backstage.forgerock.com/knowledge/kb/article/a92936505", "refsource": "CONFIRM", "url": "https://backstage.forgerock.com/knowledge/kb/article/a92936505"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:04:12.065Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a92936505"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-7589", "datePublished": "2017-04-09T01:32:00Z", "dateReserved": "2017-04-08T00:00:00Z", "dateUpdated": "2024-09-16T16:43:39.268Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openidm_project:openidm:*:*:*:*:*:*:*:*", "matchCriteriaId": "9452F334-D23F-4C34-A0D0-87F403361439", "versionEndIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openidm_project:openidm:4.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "32394170-5250-438C-9BAB-D41DE808E689", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sensitive information upon a request by the \"anonymous\" user, as demonstrated by responses with a 200 HTTP status code and a JSON object containing IP address strings. This is related to a missing access-control check in bin/defaults/script/info/login.js."}, {"lang": "es", "value": "En OpenIDM hasta la versi\u00f3n 4.0.0 en versiones anteriores a 4.5.0, el punto final de informaci\u00f3n puede perder informaci\u00f3n sensible sobre una petici\u00f3n del usuario \"anonymous\", seg\u00fan lo demostrado por las respuestas con un c\u00f3digo de estado HTTP 200 y un objeto JSON que contiene cadena de direcciones IP. Esto est\u00e1 relacionado con una perdida de comprobaci\u00f3n de control de acceso en bin/defaults/script/info/login.js"}], "id": "CVE-2017-7589", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-04-09T01:59:00.183", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/"}, {"source": "cve@mitre.org", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a92936505"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "http://www.rootlabs.com.br/information-disclosure-forgerock-openidm-4-0-0-and-4-5-0/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://backstage.forgerock.com/knowledge/kb/article/a92936505"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}