cbcvebase.

Forgerock Openam vulnerabilities

6 known vulnerabilities affecting forgerock/openam.

Total CVEs
6
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH2MEDIUM2LOW1

Vulnerabilities

Page 1 of 1
CVE-2021-35464P1CRITICALCVSS 9.8KEVPoCRansomware≥ 9.0.0, < 14.6.32021-07-22
CVE-2021-35464 [CRITICAL] CWE-502 CVE-2021-35464: ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession para ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Fr
nvd
CVE-2021-29156P2HIGHCVSS 7.5PoCfixed in 13.5.12021-03-25
CVE-2021-29156 [HIGH] CWE-74 CVE-2021-29156: ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an una ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.
nvd
CVE-2016-10097P3HIGHCVSS 7.5v10.1.02017-01-02
CVE-2016-10097 [HIGH] CWE-611 CVE-2016-10097: XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM - Access Manag XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM - Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter.
nvd
CVE-2017-14394P4MEDIUMCVSS 6.1≥ 13.5.0, ≤ 13.5.12019-06-19
CVE-2017-14394 [MEDIUM] CWE-601 CVE-2017-14394: OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Mana OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect.
nvd
CVE-2017-14395P4MEDIUMCVSS 6.1≥ 13.5.0, ≤ 13.5.12019-06-19
CVE-2017-14395 [MEDIUM] CWE-79 CVE-2017-14395: Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Manag Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS.
nvd
CVE-2014-7246P4LOWCVSS 3.5v9.5.3v9.5.4+8 more2014-11-14
CVE-2014-7246 [LOW] CWE-20 CVE-2014-7246: The Core Server in OpenAM 9.5.3 through 9.5.5, 10.0.0 through 10.0.2, 10.1.0-Xpress, and 11.0.0 thro The Core Server in OpenAM 9.5.3 through 9.5.5, 10.0.0 through 10.0.2, 10.1.0-Xpress, and 11.0.0 through 11.0.2, when deployed on a multi-server network, allows remote authenticated users to cause a denial of service (infinite loop) via a crafted cookie in a request.
nvd
Forgerock Openam vulnerabilities | cvebase