An authenticated attacker is able to exploit a SQL injection vulnerability in the Password Synchronization SOAP web service operation: GetListObject. This could allow an attacker to access and potentially manipulate data stored within the database; in addition to rendering it unavailable, causing a denial of service condition or exfiltration of sensitive information such as account details and domain password hashes.
SQL injection attacks consist of “injecting” a SQL statement via user supplied parameters to the web service, which is passed to the SQL database server for execution. Error-based SQL injection techniques force the database to generate an error, which gives the attacker the information upon which to refine the injection.
Waiting for fix in a future release Identity Manager.
Please contact Software support, quoting Defect ID 23995, Identity Manager and Password Capture Agent version to request for hotfix for this issue.