- 19 May 2023
- 1 Minute to read
Alternate Change Password Action Vulnerability
- Updated on 19 May 2023
- 1 Minute to read
Alternate Change Password Action Vulnerability Identified
A security vulnerability has been identified in some custom Alternate Change Password Actions that potentially allows self-service password updates to be performed without requiring the user to provide a valid password.
When performing a self-service password reset in RapidIdentity, users are required to input their current password and choose a new password that complies with an associated password policy. Within the core self-service password reset process, RapidIdentity then validates the password provided by the user against the user’s actual password and, if valid, updates the password accordingly.
However, if RapidIdentity is configured to use a Connect Alternate Change Password Action instead of its core processing, RapidIdentity passes the user provided password and associated password policy information to that Connect Alternate Action to process in conjunction with its custom logic.
The 2023.0.0-hotfix2 updates RapidIdentity on-premise systems to validate the password provided by the user during a self-password reset action regardless of an Alternate Change Password Action being present.
Connect Alternate Change Password Actions are rarely used in RapidIdentity on-premise and Identity Automation believes it is very unlikely that on-premise customers are exposed.
Regardless, RapidIdentity on-premise customers are advised to install the 2023.0.0-hotfix2 as soon as possible to mitigate any potential risk.
Identity Automation has verified that Connect Alternate Change Password Actions currently used in RapidIdentity Cloud systems perform the proper password validation prior to updating user passwords.
Regardless, RapidIdentity Cloud release 2023.05.0 includes an update to perform the same validation and compliance checks during all password reset actions regardless of an Alternate Change Password Action being present.
While the 2023.0.0-hotfix2 update for on-premise systems negates the need for password validations to be performed in custom Connect Alternate Change Password Actions, it does not impact them and, it assures the continued validation of passwords for new and/or modified Alternate Change Password Actions in the future.
RapidIdentity Administrators can configure and/or update Alternate Actions at Configuration > Systems > Integration > Connect