CVE-2024-56404

CVE-2024-56404 is an insecure direct object reference (IDOR) vulnerability, mapped to CWE-302, in One Identity Identity Manager 9.x versions before 9.3. Only on-premise installations are affected. The issue enables privilege escalation and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, low complexity, low privilege requirements, lack of user interaction, and high impacts across confidentiality, integrity, availability, and scope.

An authenticated attacker with low privileges can exploit this IDOR flaw remotely to escalate privileges. Exploitation requires no user interaction and can lead to full compromise of the targeted system, granting high-level access and potentially disrupting or extracting sensitive identity management data.

Vendor advisories recommend upgrading to One Identity Identity Manager 9.3, where the vulnerability is addressed, as outlined in the product notification at https://support.oneidentity.com/product-notification/noti-00001678 and the 9.3 release notes at https://support.oneidentity.com/technical-documents/identity-manager/9.3/release-notes/. Further details are available on the One Identity community forum at https://www.oneidentity.com/community/identity-manager/.