Alternate Change Password Action Vulnerability

Alternate Change Password Action Vulnerability Identified

A security vulnerability has been identified in some custom Alternate Change Password Actions that potentially allows self-service password updates to be performed without requiring the user to provide a valid password.

When performing a self-service password reset in RapidIdentity, users are required to input their current password and choose a new password that complies with an associated password policy. Within the core self-service password reset process, RapidIdentity then validates the password provided by the user against the user’s actual password and, if valid, updates the password accordingly.

However, if RapidIdentity is configured to use a Connect Alternate Change Password Action instead of its core processing, RapidIdentity passes the user provided password and associated password policy information to that Connect Alternate Action to process in conjunction with its custom logic.

The 2023.0.0-hotfix2 updates RapidIdentity on-premise systems to validate the password provided by the user during a self-password reset action regardless of an Alternate Change Password Action being present.

While the 2023.0.0-hotfix2 update for on-premise systems negates the need for password validations to be performed in custom Connect Alternate Change Password Actions, it does not impact them and, it assures the continued validation of passwords for new and/or modified Alternate Change Password Actions in the future.

RapidIdentity Administrators can configure and/or update Alternate Actions at Configuration > Systems > Integration > Connect