cbcvebase.
CVE-2021-35464
published 2021-07-22

CVE-2021-35464: ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
100.00%
100.0th percentile
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Affected

4 ranges
VendorProductVersion rangeFixed in
forgerockaccess_management< 6.5.46.5.4
forgerockopenam>= 9.0.0 < 14.6.314.6.3
openidentityplatformopenam< 16.0.616.0.6
openidentityplatformopenam< 16.0.616.0.6

Detection & IOCsextracted from sources · hover to see the quote

path/ccversion/*
pathccversion/Version
pathoauth2/..;/ccversion/Version
otherjato.pageSession
bytes
AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cA...
  • Detect WAF-bypass exploitation attempts using the path traversal variant 'oauth2/..;/ccversion/Version' in HTTP request logs.
  • Flag any unauthenticated GET or POST requests containing a serialized Java object in the jato.pageSession parameter targeting ForgeRock AM endpoints.
  • Exploitation does not require authentication; any single crafted request to /ccversion/* from an unauthenticated source should be treated as a high-priority alert.
  • Use Qualys QID 150623 and QID 730675 to detect vulnerable ForgeRock Access Management instances in your environment.
  • Note that CVE-2026-33439 is a bypass of the CVE-2021-35464 mitigation (WhitelistObjectInputStream on jato.pageSession) via the jato.clientSession parameter; monitor both parameters for serialized Java objects.
  • ·The WAF-bypass endpoint variant 'oauth2/..;/ccversion/Version' can circumvent perimeter controls blocking the canonical '/ccversion/Version' path; blocking only the canonical path is insufficient.
  • ·The vulnerability only affects ForgeRock AM versions 6.0.0.x and all 6.5 versions up to 6.5.3 running on Java 8 or earlier; AM 7.0+ is not affected.
  • ·The WhitelistObjectInputStream fix applied to jato.pageSession after CVE-2021-35464 does not protect the jato.clientSession parameter (CVE-2026-33439); patching CVE-2021-35464 alone may leave residual deserialization exposure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.