A critical security vulnerability has been unearthed in One Identity Manager, a popular identity and access management solution used by organizations worldwide. The vulnerability, identified as CVE-2024-56404 and assigned a CVSS score of 9.9, could allow malicious actors to escalate privileges and gain unauthorized access to sensitive systems and data.
One Identity Manager is renowned for streamlining identity management processes, enabling organizations to efficiently manage user identities, access permissions, and security policies. However, this newly discovered vulnerability, classified as an Insecure Direct Object Reference (IDOR), throws a wrench into the system’s robust security posture.
“An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Identity Manager which in certain configurations may allow an individual to gain unauthorised privilege escalation,” warns One Identity in their official security alert.
Who is at Risk?
The CVE-2024-56404 vulnerability affects on-premise installations of One Identity Manager, specifically versions 9.0.x to 9.2.1. Customers using the cloud-based “On Demand” versions are not impacted.
Urgent Action Required
One Identity is urging customers to take immediate action to mitigate the risk. “One Identity strongly suggests applying the appropriate hotfix below for your version or upgrading to 9.3 as soon as possible,” the alert states. Hotfixes are available for the following versions:
- 9.0.x LTS CU3
- 9.1x
- 9.2.x
Detailed instructions on applying the hotfixes can be found in the One Identity knowledge base article KB 4378024. It is crucial to note that users of version 9.0.x LTS must apply CU3 before installing the hotfix.
Organizations relying on One Identity Manager must act swiftly to patch their systems and prevent potential breaches that could compromise their valuable data and operations.
