Users Can Login To Kiosk Manager And Access The Credentials From Another User's Locked Session
(Doc ID 2407282.1)
Last updated on DECEMBER 01, 2019
Applies to:Oracle Enterprise Single Sign-On Suite Plus - Version 22.214.171.124.1 and later
Information in this document applies to any platform.
***Checked for relevance on 19-NOV-2019***
Oracle Enterprise Single Sign-On: Logon Manager 126.96.36.199.1
Users are able to login to Kiosk Manager and access the credentials from another users locked session
Users should not be able to access the credentials or applications from the locked session of another user.
STEPS TO REPRODUCE
- User “A” logs into Kiosk Manager GUI with their user ID and password
- SSO works as designed.
- User “A” locks the session.
- User “B” clicks logon without changing the user ID.
- SSO prompts for a password and the user ID field is greyed out.
- User “B” enters their password
- SSO displays an error stating the password is incorrect.
- User “B” clicks OK.
- SSO prompts for a password and the user ID field is no longer greyed out.
- User “B” changes the user ID to their own and enters their password.
- SSO accepts this logon.
- The desktop comes up and the Lock Session button in the top right displays the name of user “A”.
- User “B” opens TAM which displays saved credentials for user “A”.
- User “B” opens applications and SSO injects credentials for user “A”.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document