In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Only On-Premise installations are affected.
The vulnerability results from improper authorization verification when referencing objects (CWE-302 — improper authentication verification). A logged-in user with low privileges can directly reference system objects (IDOR) that they normally should not have access to, thereby bypassing authorization control mechanisms. The result is the possibility of privilege escalation within the identity management system.
An attacker with an account in the system can obtain a higher level of privileges, potentially taking control of critical resources and data managed by the Identity Manager platform, which includes confidentiality, integrity, and system availability.
One Identity Identity Manager should be updated to version 9.3 or later. Detailed information about the patch is available in the vendor's release notes at https://support.oneidentity.com/technical-documents/identity-manager/9.3/release-notes/
One Identity Identity Manager in versions 9.x before 9.3, On-Premise installations only.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H