CVE-2017-9393
critical
CVSS v3
9.8
CVSS v2
5.0
VIR risk
9.8
Description
CA Identity Manager r12.6 to r12.6 SP8, 14.0, and 14.1 allows remote attackers to potentially identify passwords of locked accounts through an exhaustive search.
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: vuln@ca.com — https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20170921-01--security-notice-for-ca-identity-manager.html
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ca | identity_manager | 12.6 | |
| ca | identity_manager | 14.0 | |
| ca | identity_manager | 14.1 | |
| ca | identity_manager_virtual_appliance | 14.0 | |
| ca | identity_manager_virtual_appliance | 14.1 | |
References
- http://www.securityfocus.com/bid/100956
- https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20170921-01--security-notice-for-ca-identity-manager.html
- http://www.securityfocus.com/bid/100956
- https://support.ca.com/us/product-content/recommended-reading/security-notices/ca20170921-01--security-notice-for-ca-identity-manager.html
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.