Skip to main content

Identity Manager Connector

26 CVEs product

Monthly

CVE-2026-46794 CRITICAL Act Now

Privilege escalation to full takeover in Oracle Identity Manager Connector (Fusion Middleware) allows a low-privileged remote attacker with SSH network access to compromise the Generic Unix Connector and pivot into additional Fusion Middleware components via a CVSS scope change. Versions 12.2.1.4.0 and 14.1.2.1.0 are affected, with Oracle rating the issue 9.9 due to high confidentiality, integrity, and availability impact across product boundaries. No public exploit identified at time of analysis, but the AV:N/AC:L profile and SSH-reachable attack surface make this a high-priority Oracle CPU item.

Oracle Identity Manager Connector Privilege Escalation
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46793 CRITICAL Act Now

Takeover of Oracle Identity Manager Connector (Fusion Middleware) is achievable by a low-privileged remote attacker over HTTP, with a scope-changing impact that extends compromise to additional Oracle products. Oracle rates this 9.9 CVSS 3.1 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Affected releases are 12.2.1.4.0 and 14.1.2.1.0, with the fix delivered in Oracle's June 2026 Critical Patch Update.

Oracle Identity Manager Connector Authentication Bypass
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-46792 CRITICAL Act Now

Full takeover of Oracle Identity Manager Connector (versions 12.2.1.4.0 and 14.1.2.1.0) is achievable by a low-privileged remote attacker via HTTP against the Generic Unix Connector component, with scope-changed impact reaching additional Oracle Fusion Middleware products. Oracle rates this CVSS 9.9 due to high confidentiality, integrity, and availability impact combined with low attack complexity and minimal privileges. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Identity Manager Connector Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35294 CRITICAL Act Now

Account takeover in Oracle Identity Manager Connector (Fusion Middleware, Mainframe Connectors component) versions 12.2.1.4.0 and 14.1.2.1.0 allows an authenticated low-privileged attacker to fully compromise the connector over HTTP and pivot to other products via a CVSS scope change. The flaw carries a 9.9 CVSS 3.1 score with high confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, and CISA KEV does not list it.

Information Disclosure Oracle Identity Manager Connector
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2023-20884 MEDIUM PATCH This Month

VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Information Disclosure VMware Open Redirect Identity Manager Workspace One Access +2
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2022-31701 MEDIUM This Month

VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass VMware Access Cloud Foundation Identity Manager Connector
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2022-31665 HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE VMware Identity Manager One Access Identity Manager Connector
NVD
CVSS 3.1
7.2
EPSS
2.0%
CVE-2022-31664 HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

VMware Privilege Escalation Identity Manager One Access Access Connector +1
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-31663 MEDIUM PATCH This Month

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS VMware Identity Manager One Access Access Connector +1
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-31662 HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal VMware Identity Manager One Access Access Connector +1
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-31661 HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

VMware Privilege Escalation Identity Manager One Access Access Connector +1
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-31660 HIGH POC PATCH Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

VMware Privilege Escalation Identity Manager One Access Access Connector +1
NVD GitHub
CVSS 3.1
7.8
EPSS
1.1%
CVE-2022-31659 HIGH PATCH This Week

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

RCE VMware SQLi Identity Manager One Access +2
NVD
CVSS 3.1
7.2
EPSS
2.4%
CVE-2022-31658 HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE VMware Identity Manager One Access Access Connector +1
NVD
CVSS 3.1
7.2
EPSS
1.9%
CVE-2022-31657 CRITICAL PATCH Act Now

VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

VMware Open Redirect Identity Manager One Access Access Connector +1
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2022-31656 CRITICAL POC PATCH THREAT Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass VMware Identity Manager One Access Access Connector +1
NVD
CVSS 3.1
9.8
EPSS
19.0%
CVE-2022-23307 Maven HIGH PATCH This Week

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Chainsaw Log4J Reload4J +23
NVD VulDB
CVSS 3.1
8.8
EPSS
2.7%
CVE-2022-23305 Maven CRITICAL PATCH GHSA Act Now

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

Apache SQLi Log4J Snapmanager Brocade Sannav +25
NVD VulDB
CVSS 3.1
9.8
EPSS
9.5%
CVE-2022-23302 Maven HIGH PATCH This Week

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Deserialization Apache Log4J Snapmanager +24
NVD VulDB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2020-4006 CRITICAL KEV THREAT Act Now

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection VMware Identity Manager Identity Manager Connector One Access +2
NVD
CVSS 3.1
9.1
EPSS
23.8%
CVE-2020-24750 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Agile Plm Application Testing Suite Autovue For Agile Product Lifecycle Management +22
NVD GitHub
CVSS 3.1
8.1
EPSS
7.3%
CVE-2020-24616 Maven HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager Agile Plm Application Testing Suite +21
NVD GitHub
CVSS 3.1
8.1
EPSS
9.3%
CVE-2019-0222 Maven HIGH PATCH This Week

In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Activemq E Series Santricity Web Services Communications Diameter Signaling Router +5
NVD
CVSS 3.1
7.5
EPSS
12.4%
CVE-2018-15756 Maven HIGH PATCH This Week

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Denial Of Service Spring Framework Agile Plm Communications Brm Elastic Charging Engine +37
NVD
CVSS 3.1
7.5
EPSS
9.5%
CVE-2017-10270 HIGH PATCH This Week

Vulnerability in the Oracle Identity Manager Connector component of Oracle Fusion Middleware (subcomponent: Microsoft Active Directory). Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity.

Denial Of Service Microsoft Oracle Identity Manager Connector
NVD
CVSS 3.0
8.2
EPSS
0.2%
CVE-2017-5645 Maven CRITICAL POC PATCH THREAT Act Now

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.0%.

Deserialization Apache RCE Log4J Oncommand Api Services +77
NVD
CVSS 3.1
9.8
EPSS
94.0%
Threat
6.3
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation to full takeover in Oracle Identity Manager Connector (Fusion Middleware) allows a low-privileged remote attacker with SSH network access to compromise the Generic Unix Connector and pivot into additional Fusion Middleware components via a CVSS scope change. Versions 12.2.1.4.0 and 14.1.2.1.0 are affected, with Oracle rating the issue 9.9 due to high confidentiality, integrity, and availability impact across product boundaries. No public exploit identified at time of analysis, but the AV:N/AC:L profile and SSH-reachable attack surface make this a high-priority Oracle CPU item.

Oracle Identity Manager Connector Privilege Escalation
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Takeover of Oracle Identity Manager Connector (Fusion Middleware) is achievable by a low-privileged remote attacker over HTTP, with a scope-changing impact that extends compromise to additional Oracle products. Oracle rates this 9.9 CVSS 3.1 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Affected releases are 12.2.1.4.0 and 14.1.2.1.0, with the fix delivered in Oracle's June 2026 Critical Patch Update.

Oracle Identity Manager Connector Authentication Bypass
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL Act Now

Full takeover of Oracle Identity Manager Connector (versions 12.2.1.4.0 and 14.1.2.1.0) is achievable by a low-privileged remote attacker via HTTP against the Generic Unix Connector component, with scope-changed impact reaching additional Oracle Fusion Middleware products. Oracle rates this CVSS 9.9 due to high confidentiality, integrity, and availability impact combined with low attack complexity and minimal privileges. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Oracle Identity Manager Connector Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Account takeover in Oracle Identity Manager Connector (Fusion Middleware, Mainframe Connectors component) versions 12.2.1.4.0 and 14.1.2.1.0 allows an authenticated low-privileged attacker to fully compromise the connector over HTTP and pivot to other products via a CVSS scope change. The flaw carries a 9.9 CVSS 3.1 score with high confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, and CISA KEV does not list it.

Information Disclosure Oracle Identity Manager Connector
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

Information Disclosure VMware Open Redirect +4
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

VMware Workspace ONE Access and Identity Manager contain a broken authentication vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass VMware Access +2
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE VMware Identity Manager +2
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

VMware Privilege Escalation Identity Manager +3
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a reflected cross-site scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

XSS VMware Identity Manager +3
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager, Connectors and vRealize Automation contain a path traversal vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal VMware Identity Manager +3
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two privilege escalation vulnerabilities. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

VMware Privilege Escalation Identity Manager +3
NVD
EPSS 1% CVSS 7.8
HIGH POC PATCH Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contains a privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

VMware Privilege Escalation Identity Manager +3
NVD GitHub
EPSS 2% CVSS 7.2
HIGH PATCH This Week

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

RCE VMware SQLi +4
NVD
EPSS 2% CVSS 7.2
HIGH PATCH This Week

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

RCE VMware Identity Manager +3
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Open Redirect vulnerability could allow attackers to redirect users to malicious websites via URL manipulation.

VMware Open Redirect Identity Manager +3
NVD
EPSS 19% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass VMware Identity Manager +3
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Apache Chainsaw +25
NVD VulDB
EPSS 9% CVSS 9.8
CRITICAL PATCH Act Now

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

Apache SQLi Log4J +27
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Deserialization Apache +26
NVD VulDB
EPSS 24% CVSS 9.1
CRITICAL KEV THREAT Act Now

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection VMware Identity Manager +4
NVD
EPSS 7% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Agile Plm +24
NVD GitHub
EPSS 9% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager +23
NVD GitHub
EPSS 12% CVSS 7.5
HIGH PATCH This Week

In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Apache Activemq +7
NVD
EPSS 10% CVSS 7.5
HIGH PATCH This Week

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Java Denial Of Service Spring Framework +39
NVD
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Vulnerability in the Oracle Identity Manager Connector component of Oracle Fusion Middleware (subcomponent: Microsoft Active Directory). Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity.

Denial Of Service Microsoft Oracle +1
NVD
EPSS 94% 6.3 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.0%.

Deserialization Apache RCE +79
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy