CVE-2021-29156
published 2021-03-25CVE-2021-29156: ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character…
PriorityP273high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
76.39%
99.5th percentile
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| forgerock | openam | < 13.5.1 | 13.5.1 |
Detection & IOCsextracted from sources · hover to see the quote
url.well-known/webfinger?resource=http://x/{user})(sunKeyValue=userPassword={hash}*)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer↗
yara↗
contains(body, "jato.pageSession") && status_code==200
- →Detect exploitation attempts by monitoring GET requests to the Webfinger endpoint containing LDAP injection metacharacters, specifically patterns with 'sunKeyValue=userPassword=' and wildcard '*' characters in the query string. ↗
- →Differentiate successful LDAP injection probes by HTTP response code: a 200 OK response indicates the injected LDAP filter matched; a 404 Not Found indicates no match. Alert on 200 responses to Webfinger requests containing LDAP filter syntax. ↗
- →Use Shodan/FOFA queries to identify exposed OpenAM instances as potential targets: search for http.title:"OpenAM" or title="openam". ↗
- →Detect vulnerable OpenAM password-reset pages by checking for the presence of 'jato.pageSession' in the HTTP response body with a 200 status code at /openam/ui/PWResetUserValidation. ↗
- →The injection is unauthenticated and targets the Webfinger protocol endpoint; no session or authentication token is required, so any source IP making these requests should be treated as suspicious. ↗
- ·The brute-force keyspace in the exploit is configured for password hashes by default; attackers targeting other data types (e.g., session tokens, private keys) will use a different character set, requiring broader detection coverage. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenAM has LDAP Injection via `_queryId` Parameter
ghsa·2026-06-22·CVSS 7.5
CVE-2026-41573 [HIGH] CWE-74 OpenAM has LDAP Injection via `_queryId` Parameter
OpenAM has LDAP Injection via `_queryId` Parameter
OpenAM (Open Identity Platform) is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under `/json/{realm}/users`. In `IdentityResourceV1.queryCollection()`, the HTTP query parameter `_queryId` is passed to a `CrestQuery` object with `escapeQueryId` **explicitly set to `false`**, bypassing the escape protection introduced as part of the CVE-2021-29156 fix. The unescaped value flows directly to `DJLDAPv3Repo.getFilter()` where it is concatenated into an LDAP filter string without sanitization, enabling authenticated attackers to inject arbitrary LDAP metacharacters for user enumeration and blind LDAP injection.
## Affected Endpoint
| Endpoint |
GHSA
GHSA-8984-9gww-h52x: ForgeRock OpenAM before 13
ghsa_unreviewed·2022-05-24
CVE-2021-29156 [HIGH] CWE-74 GHSA-8984-9gww-h52x: ForgeRock OpenAM before 13
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.
No detection rules found.
Exploit-DB
OpenAM 13.0 - LDAP Injection
exploitdb·2021-11-03·CVSS 7.5
CVE-2021-29156 [HIGH] OpenAM 13.0 - LDAP Injection
OpenAM 13.0 - LDAP Injection
---
# Exploit Title: OpenAM 13.0 - LDAP Injection
# Date: 03/11/2021
# Exploit Author: Charlton Trezevant, GuidePoint Security
# Vendor Homepage: https://www.forgerock.com/
# Software Link: https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/13.0.0,
# https://backstage.forgerock.com/docs/openam/13/install-guide/index.html#deploy-openam
# Version: OpenAM v13.0.0
# Tested on: go1.17.2 darwin/amd64
# CVE: CVE-2021-29156
#
# This vulnerability allows an attacker to extract a variety of information
# (such as a user’s password hash) from vulnerable OpenAM servers via LDAP
# injection, using a character-by-character brute force attack.
#
# https://github.com/guidepointsecurity/CVE-2021-29156
# https://nvd.nist.gov/vuln/detail/CVE-2021-29156
# https://portsw
Nuclei
LDAP Injection In OpenAM
nuclei·CVSS 7.5
CVE-2021-29156 [HIGH] LDAP Injection In OpenAM
LDAP Injection In OpenAM
OpenAM contains an LDAP injection vulnerability. When a user tries to reset his password, they are asked to enter username, and then the backend validates whether the user exists or not through an LDAP query. If the user exists, the password reset token is sent to the user's email. Enumeration can allow for full password retrieval.
Template:
id: CVE-2021-29156
info:
name: LDAP Injection In OpenAM
author: melbadry9,xelkomy
severity: high
description: OpenAM contains an LDAP injection vulnerability. When a user tries to reset his password, they are asked to enter username, and then the backend validates whether the user exists or not through an LDAP query. If the user exists, the password reset token is sent to the user's email. Enumeration can allow for full pas
HackerOne
[CVE-2021-29156] LDAP Injection at https://██████
hackerone·2021-08-26·CVSS 7.5
CVE-2021-29156 [HIGH] [CVE-2021-29156] LDAP Injection at https://██████
[CVE-2021-29156] LDAP Injection at https://██████
**Description:**
https://█████ is vulnerable to CVE-2021-29156
## References
* https://hackerone.com/reports/1278050
* https://nvd.nist.gov/vuln/detail/CVE-2021-29156
* https://portswigger.net/research/hidden-oauth-attack-vectors
* https://github.com/projectdiscovery/nuclei-templates/blob/74db4223c11d27a934ca1c417aa4abca9e70ad35/cves/2021/CVE-2021-29156.yaml
## Impact
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.
## System Host(s)
███████
## Affected Product(s) and Version(s)
## CVE Numbers
CVE-2021-29156
## Steps to Reproduce
The references mentio
HackerOne
[CVE-2021-29156 on ForgeRock OpenAm] LDAP Injection in Webfinger Protocol!
hackerone·2021-08-19·CVSS 7.5
CVE-2021-29156 [HIGH] [CVE-2021-29156 on ForgeRock OpenAm] LDAP Injection in Webfinger Protocol!
[CVE-2021-29156 on ForgeRock OpenAm] LDAP Injection in Webfinger Protocol!
**Description:**
https://████████ is vulnerable to CVE-2021-29156.
## References
* https://nvd.nist.gov/vuln/detail/CVE-2021-29156
* https://portswigger.net/research/hidden-oauth-attack-vectors
* https://github.com/projectdiscovery/nuclei-templates/blob/74db4223c11d27a934ca1c417aa4abca9e70ad35/cves/2021/CVE-2021-29156.yaml
## Impact
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.
## System Host(s)
████████
## Affected Product(s) and Version(s)
## CVE Numbers
CVE-2021-29156
## Steps to Reproduce
The references mentioned shall
2021-03-25
Published