cbcvebase.

Openidentityplatform Openam vulnerabilities

6 known vulnerabilities affecting openidentityplatform/openam.

Total CVEs
6
CISA KEV
1
actively exploited
Public exploits
3
Exploited in wild
1
Severity breakdown
CRITICAL3HIGH2MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2021-35464P1CRITICALCVSS 9.8KEVPoCRansomwarefixed in 16.0.62021-07-22
CVE-2021-35464 [CRITICAL] CWE-502 CVE-2021-35464: ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession para ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Fr
nvd
CVE-2026-33439P1CRITICALCVSS 9.8PoCfixed in 16.0.62026-04-07
CVE-2026-33439 [CRITICAL] CVE-2026-33439: Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatf Open Access Management (OpenAM) is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream mitigation that was applied to the jato.pageSession parameter a
nvd
CVE-2024-41667P2HIGHCVSS 8.8PoCfixed in 15.0.42024-07-24
CVE-2024-41667 [HIGH] CWE-94 CVE-2024-41667: OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTe OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default OpenAM login, they did not restric
nvd
CVE-2023-37471P2CRITICALCVSS 9.8fixed in 14.7.32023-07-20
CVE-2023-37471 [CRITICAL] CWE-287 CVE-2023-37471: Open Access Management (OpenAM) is an access management solution that includes Authentication, SSO, Open Access Management (OpenAM) is an access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security. OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to imperson
nvd
CVE-2025-64099P3HIGHCVSS 8.1fixed in 16.0.02025-11-12
CVE-2025-64099 [HIGH] CWE-74 CVE-2025-64099: Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if th Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the "claims_parameter_supported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the id_token or in the user_info. In the request of an authorize fun
nvd
CVE-2022-34298P4MEDIUMCVSS 5.3fixed in 14.6.62022-06-23
CVE-2022-34298 [MEDIUM] CVE-2022-34298: The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack." The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack."
nvd
Openidentityplatform Openam vulnerabilities | cvebase