Insecure Direct Object Reference (IDOR) vulnerability (4378024)

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Identity Manager which in certain configurations may allow an individual to gain unauthorized privilege escalation. This has been officially reported as CVE-2024-56404. This issue impacts only On-Premise installations and does not impact customers using Identity Manager On Demand or Identity Manager On Demand Starling Edition. 

How does this affect me?

All customers on versions 9.0.x to 9.2.1 are vulnerable to this defect. One Identity strongly suggests applying the appropriate hotfix below for your version or upgrading to 9.3 as soon as possible. Note: 9.0.x LTS requires CU3 to be applied before the hotfix is installed.

One Identity has created hotfixes for all impacted versions:

• 9.0.x LTS
  • The Hotfix for 9.0 LTS can be found here.
    • Note: The hotfix for 9.0 LTS requires CU3 to be applied. This can be downloaded here. 
• 9.1x
  • The Hotfix for 9.1.1 can be found here.
  • The Hotfix for 9.1.2 can be found here.
  • The Hotfix for 9.1.3 can be found here.
• 9.2.x 
  • The Hotfix for 9.2.0 can be found here.
  • The Hotfix for 9.2.1 can be found here.

For instructions on how to apply this hotfix, please visit KB 4378108. 

We apologize for the inconvenience this issue may have caused.