Persistent Accelerite Radia Client Automation Modify An Account's Role Vulnerabilities
11 Dec. 2015
Summary
Persistent Accelerite Radia Client Automation (formerly HP Client Automation) 7.9 through 9.1 before 2015-02-19 improperly implements the Role Based Access Control feature, which might allow remote attackers to modify an account's role assignments via vectors.
Vulnerable Systems:
* Persistent Accelerite Radia Client Automation (formerly HP Client Automation) 7.9 through 9.1 before 2015-02-19
Immune Systems:
* Persistent Accelerite Radia Client Automation (formerly HP Client Automation) 7.9 through 9.1 after 2015-02-19
Accelerite is now performing additional validations to make sure that no unauthorized user is able to perform access control operations (assign/un-assign an existing role to an existing user account). Accelerite has already released hotfixes for all supported versions. Customers can contact the support team to request a hotfix as applicable. Customers are recommended to use Extended notify security features to secure remote Notify. These features are already available in all the supported versions of RCA/HPCA.