CVE-2024-45523 Resource Leak in Bravura Security Fabric API After a Failed Login Attempt (19-09-2024)

Preface: Originally founded in 1992 as M-Tech Information Technology, acquired by Hitachi, Ltd. in 2008, and acquired by the Volaris Group in 2022, Bravura Security, Inc is a leading provider of identity, privileged access, password, and passwordless solutions. Bravura Security Fabric brings together all the benefits of SaaS plus IAM & PAM into one comprehensive solution.

Background: The API Service (idapi) enables client programs to access Bravura Security Fabric workflow and provisioning features programmatically. Client programs communicate with the service using:

SOAP (Simple Object Access Protocol) – Some organizations use the SOAP API to build their own customized front-end to Bravura Security Fabric.

Vulnerability details: An issue was discovered in Bravura Security Fabric versions 12.3.x before 12.3.5.32784, 12.4.x before 12.4.3.35110, 12.5.x before 12.5.2.35950, 12.6.x before 12.6.2.37183, and 12.7.x before 12.7.1.38241. An unauthenticated attacker can cause a resource leak by issuing multiple failed login attempts through API SOAP.

Official announcement: Please refer to the vendor announcement for details –

https://www.bravurasecurity.com/cve-2024-45523-resource-leak-in-api-after-a-failed-login-attempt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.