CVE-2023-1656 HIGH

CVE-2023-1656: When the LDAP connector is started with StartTLS configured, LDAP BIND credentials are transmitted insecurely, prior to establishing the TLS connection.

Vendor Forgerock Inc.
Product OpenIDM and Java Remote Connector Server (RCS)
Weakness CWE-319 · Cleartext transmission
Published March 29, 2023
Last update April 14, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.

Key dates

02Disclosure timeline

March 29, 2023 CVE published
April 14, 2025 Record updated