CVE-2022-0143 is a critical vulnerability classified under CWE-284 (Improper Access Control) affecting the ForgeRock LDAP Connector, which is a component bundled with ForgeRock Identity Management (IDM) and Remote Connector Server (RCS). The vulnerability arises when the LDAP connector is started with StartTLS configured, a protocol used to upgrade a plain text connection to an encrypted (TLS or SSL) connection. Under these conditions, the LDAP connector erroneously grants unauthenticated access, allowing an attacker to bypass authentication controls. This flaw exists in all versions of the LDAP connector prior to version 1.5.20.9. The CVSS v3.1 base score is 9.3 (critical), reflecting the high impact and ease of exploitation: the attack vector is network-based (AV:N), requires no privileges (PR:N), and only requires user interaction (UI:R), with a scope change (S:C) indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality and integrity is high, as unauthorized users can gain access to sensitive directory information or potentially manipulate identity data. Availability impact is rated as none. No known exploits are currently reported in the wild, but the critical nature of the vulnerability and the widespread use of ForgeRock IDM in enterprise identity and access management systems make this a significant threat. The lack of a patch link in the provided data suggests organizations must verify and apply the latest updates from ForgeRock promptly to remediate this issue.

For European organizations, the impact of CVE-2022-0143 is substantial due to the critical role ForgeRock IDM and its LDAP connector play in identity and access management (IAM) infrastructures. Unauthorized access to the LDAP connector can lead to exposure of sensitive identity data, unauthorized privilege escalation, and potential lateral movement within corporate networks. This can compromise user credentials, personal data protected under GDPR, and critical business applications relying on ForgeRock for authentication and authorization. The improper access control could also facilitate insider threat activities or external attackers masquerading as legitimate users. Given the high confidentiality and integrity impact, organizations could face regulatory penalties, reputational damage, and operational disruptions. The vulnerability’s exploitation over the network without requiring privileges makes it particularly dangerous in environments with exposed or poorly segmented LDAP services.

European organizations using ForgeRock IDM or RCS should immediately verify their LDAP connector versions and upgrade to version 1.5.20.9 or later where this vulnerability is fixed. If upgrading is not immediately feasible, organizations should consider disabling StartTLS on the LDAP connector until a patch is applied, or restrict network access to the LDAP connector to trusted internal networks only. Implement strict network segmentation and firewall rules to limit exposure of LDAP services. Additionally, monitoring and logging LDAP connector access attempts should be enhanced to detect any anomalous unauthenticated access patterns. Organizations should also review and tighten IAM policies and conduct thorough audits of identity data access. Finally, coordinate with ForgeRock support for any additional recommended mitigations or patches and stay alert for any emerging exploit reports.