OneLogin AD Connector Information Disclosure Vulnerability

A vulnerability allowing information disclosure exists in OneLogin AD Connector versions prior to 6.1.5. The issue arises in the Active Directory Connector's API, specifically through the configuration endpoint. An attacker with access to a valid directory token, which can be obtained from host registry keys or unsecured logs, can retrieve a plaintext response containing sensitive credentials. These credentials may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant's SSO IdP configuration.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive credentials, including AWS IAM keys that can be used to access OneLogin customer data, such as API keys and SSO signing keys. This access can facilitate user impersonation within OneLogin environments.

Reproduction

The vulnerability can be reproduced by sending a GET request to the OneLogin AD Connector API configuration endpoint, including a valid directory token obtained from the Windows registry or logs. The response will contain sensitive credentials in plaintext.

Remediation

Users are advised to upgrade to OneLogin AD Connector version 6.1.5 or later.