cbcvebase.
CVE-2021-29156
published 2021-03-25

CVE-2021-29156: ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character…

PriorityP273high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
76.39%
99.5th percentile
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.

Affected

1 ranges
VendorProductVersion rangeFixed in
forgerockopenam< 13.5.113.5.1

Detection & IOCsextracted from sources · hover to see the quote

url.well-known/webfinger?resource=http://x/{user})(sunKeyValue=userPassword={hash}*)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer
path/openam/.well-known/webfinger
path/openam/ui/PWResetUserValidation
path/OpenAM-11.0.0/ui/PWResetUserValidation
path/ui/PWResetUserValidation
command(sunKeyValue=userPassword=%s*)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer
command(sunKeyValue=userPassword=%s)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer
yara
contains(body, "jato.pageSession") && status_code==200
  • Detect exploitation attempts by monitoring GET requests to the Webfinger endpoint containing LDAP injection metacharacters, specifically patterns with 'sunKeyValue=userPassword=' and wildcard '*' characters in the query string.
  • Differentiate successful LDAP injection probes by HTTP response code: a 200 OK response indicates the injected LDAP filter matched; a 404 Not Found indicates no match. Alert on 200 responses to Webfinger requests containing LDAP filter syntax.
  • Use Shodan/FOFA queries to identify exposed OpenAM instances as potential targets: search for http.title:"OpenAM" or title="openam".
  • Detect vulnerable OpenAM password-reset pages by checking for the presence of 'jato.pageSession' in the HTTP response body with a 200 status code at /openam/ui/PWResetUserValidation.
  • The injection is unauthenticated and targets the Webfinger protocol endpoint; no session or authentication token is required, so any source IP making these requests should be treated as suspicious.
  • ·The brute-force keyspace in the exploit is configured for password hashes by default; attackers targeting other data types (e.g., session tokens, private keys) will use a different character set, requiring broader detection coverage.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.