OAM 126.96.36.199 / 188.8.131.52 Change Password page does not validate Old Password
Last updated on MARCH 08, 2017
Applies to:Oracle Access Manager - Version 184.108.40.206.0 and later
Information in this document applies to any platform.
Oracle Access Manager (OAM) 220.127.116.11 or 18.104.22.168 has been configured to use the OAM Password Plugin for password management.
When a user is redirected to the OAM Change Password page to change their password e.g. for first time logins or users with passwords reset, any value can be entered for Old Password. The Old Password value submitted is not validated.
Steps to reproduce
1. In a new browser session, access a resource protected by the OAM Release 2 (R2) Password Plugin.
2. The OAM SSO login page is displayed.
3. User submits valid credentials.
4. OAM validates the credentials but the user entry has obpasswordchangeflag=true or obpasswordcreationdate > password lifetime so OAM redirects the user to the OAM Change Password page.
5. User submits any value for Old Password, and a New Password value that conforms to password policy requirements.
6. The user's password is successfully changed.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms