Vulnerabilites related to forgerock - access_management
Vulnerability from fkie_nvd
Published
2022-02-14 22:15
Modified
2024-11-21 06:37
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@forgerock.com | https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| forgerock | access_management | 5.5.2 | |
| forgerock | access_management | 6.0.0 | |
| forgerock | access_management | 6.0.0.1 | |
| forgerock | access_management | 6.0.0.2 | |
| forgerock | access_management | 6.0.0.3 | |
| forgerock | access_management | 6.0.0.4 | |
| forgerock | access_management | 6.0.0.6 | |
| forgerock | access_management | 6.0.0.7 | |
| forgerock | access_management | 6.5.0 | |
| forgerock | access_management | 6.5.0.1 | |
| forgerock | access_management | 6.5.0.2 | |
| forgerock | access_management | 6.5.1 | |
| forgerock | access_management | 6.5.2.1 | |
| forgerock | access_management | 6.5.2.2 | |
| forgerock | access_management | 6.5.2.3 | |
| forgerock | access_management | 6.5.3 | |
| forgerock | access_management | 7.0.0 | |
| forgerock | access_management | 7.0.1 | |
| forgerock | access_management | 7.0.2 | |
| forgerock | access_management | 7.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgerock:access_management:5.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "81409362-E21B-4956-BE64-7A07188DDB77",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F11F7FD9-9FB7-472F-B4CA-E2EBF3930051",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.0.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2E2315-212A-4652-84D9-3E962FB97238",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.0.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "17E11560-BB97-4A62-B6FE-004E9CD7AABC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.0.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "53CC11DF-351C-4412-B44B-DDA7A9229812",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.0.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "61C0168C-C23E-4282-8CE4-557624BAC52B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.0.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029858A3-5920-41FA-96A9-5973802C4995",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.0.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "43A69DFF-405B-4869-A570-C39521262D94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8B8556CA-F9C8-4DF8-8951-EB58CE02A639",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "37945318-07E9-4E2E-B71E-0DD7F5630571",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7480E543-6823-4E2E-AEDD-A9BC21609E89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E31AD7C7-9145-4EBC-A1A1-531B77BEFB0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C1431E8B-A15E-4ED9-97D9-7E9226C23863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E78929D6-90B5-4FB2-BCA0-327D69D85C66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EE525AD5-4B68-4063-A183-FA63B9EC7FF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F3D7F2DE-8E77-4268-9F8B-D95954A31140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "133B3A99-A25A-46A7-8663-282B7146E33C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0054E664-0BB8-49B9-8793-03C26873F139",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "93E6DB1C-1085-4F63-9FA5-19D3E8B80A34",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9725E909-8707-402E-939B-EC6FA6FA0984",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions."
},
{
"lang": "es",
"value": "Una falta de control de acceso en ForgeRock Access Management versi\u00f3n 7.1.0 y versiones anteriores, en todas las plataformas permite a atacantes remotos no autenticados secuestrar sesiones, incluyendo potencialmente sesiones a nivel de administrador. Este problema afecta a: ForgeRock Access Management versiones 7.1 anteriores a 7.1.1; versiones 6.5 anteriores a 6.5.4; todas las versiones anteriores"
}
],
"id": "CVE-2021-4201",
"lastModified": "2024-11-21T06:37:08.123",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "psirt@forgerock.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-02-14T22:15:07.830",
"references": [
{
"source": "psirt@forgerock.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0"
}
],
"sourceIdentifier": "psirt@forgerock.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "psirt@forgerock.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-25 21:15
Modified
2024-11-21 06:14
Severity ?
Summary
In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://backstage.forgerock.com/knowledge/kb/article/a55763454 | Vendor Advisory | |
| cve@mitre.org | https://www.forgerock.com/platform/access-management | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://backstage.forgerock.com/knowledge/kb/article/a55763454 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.forgerock.com/platform/access-management | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| forgerock | access_management | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4581CFF0-F5D2-4DF6-8E87-DCF74DAC775C",
"versionEndExcluding": "7.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion."
},
{
"lang": "es",
"value": "En ForgeRock Access Management (AM) versiones anteriores a 7.0.2, la implementaci\u00f3n de SAML2 permite una inyecci\u00f3n de XML, permitiendo potencialmente una aserci\u00f3n fraudulenta de SAML versi\u00f3n 2.0."
}
],
"id": "CVE-2021-37154",
"lastModified": "2024-11-21T06:14:44.580",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-25T21:15:08.470",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a55763454"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.forgerock.com/platform/access-management"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a55763454"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.forgerock.com/platform/access-management"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-91"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-27 17:15
Modified
2024-11-21 06:50
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
An attacker can use the unrestricted LDAP queries to determine configuration entries
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| forgerock | access_management | * | |
| forgerock | access_management | * | |
| forgerock | access_management | * | |
| forgerock | access_management | * | |
| forgerock | access_management | 6.5.1 | |
| forgerock | access_management | 6.5.3 | |
| forgerock | access_management | 6.5.4 | |
| forgerock | access_management | 7.1.0 | |
| forgerock | access_management | 7.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4162CDDD-B604-4B3C-AAA1-14D33FE1EF45",
"versionEndIncluding": "6.0.0.7",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D9D6502-4993-46CE-9FDC-71808D76C416",
"versionEndIncluding": "6.5.0.2",
"versionStartIncluding": "6.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AC242A-391E-463D-8C00-28CE22D6339E",
"versionEndIncluding": "6.5.2.3",
"versionStartIncluding": "6.5.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D66C82CB-63C8-4A3C-AD19-08CD666F8C9D",
"versionEndIncluding": "7.0.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E31AD7C7-9145-4EBC-A1A1-531B77BEFB0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F3D7F2DE-8E77-4268-9F8B-D95954A31140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CB42E3-B330-4202-87A4-EC503D569C78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9725E909-8707-402E-939B-EC6FA6FA0984",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C5AEAE88-FA4F-4970-A5AB-A1FDBC2A447A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An attacker can use the unrestricted LDAP queries to determine configuration entries"
},
{
"lang": "es",
"value": "Un atacante puede utilizar las consultas LDAP sin restricciones para determinar las entradas de configuraci\u00f3n."
}
],
"id": "CVE-2022-24670",
"lastModified": "2024-11-21T06:50:49.940",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.2,
"source": "psirt@forgerock.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-27T17:15:09.813",
"references": [
{
"source": "psirt@forgerock.com",
"tags": [
"Product"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/featured"
},
{
"source": "psirt@forgerock.com",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/featured"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"
}
],
"sourceIdentifier": "psirt@forgerock.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "psirt@forgerock.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-10-29 16:15
Modified
2024-11-08 15:38
Severity ?
Summary
An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| forgerock | access_management | * | |
| forgerock | access_management | * | |
| forgerock | access_management | * | |
| forgerock | access_management | 7.3.0 | |
| forgerock | access_management | 7.3.1 | |
| forgerock | access_management | 7.4.0 | |
| forgerock | access_management | 7.4.1 | |
| forgerock | access_management | 7.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9FFF5D8C-AF14-4120-BD21-E90C168FDE83",
"versionEndIncluding": "7.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4DC330E6-C70E-4035-A894-CE9F6BC4E30A",
"versionEndIncluding": "7.1.4",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1D9F54DE-CA12-455F-98E3-B0AEC64DF3A3",
"versionEndIncluding": "7.2.2",
"versionStartIncluding": "7.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C2B38BE7-6A73-400C-B6CC-FED6C0FE7612",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9A79687F-7972-4032-8694-A4567531292F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1CC06681-7D1B-4F04-80BD-AE5BC3E283BA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C94CD667-557E-476A-8950-2123793CFE4B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C15731F3-5D9E-49B2-85AE-3F220D672031",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks"
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de redireccionamiento abierto en PingAM, en la que las solicitudes bien manipuladas pueden provocar una validaci\u00f3n incorrecta de las URL de redireccionamiento. Esto podr\u00eda permitir que un atacante redirija a los usuarios finales a sitios maliciosos bajo su control, lo que simplifica los ataques de phishing."
}
],
"id": "CVE-2024-25566",
"lastModified": "2024-11-08T15:38:56.150",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"automatable": "NOT_DEFINED",
"availabilityRequirements": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirements": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirements": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubsequentSystemAvailability": "NOT_DEFINED",
"modifiedSubsequentSystemConfidentiality": "NOT_DEFINED",
"modifiedSubsequentSystemIntegrity": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnerableSystemAvailability": "NOT_DEFINED",
"modifiedVulnerableSystemConfidentiality": "NOT_DEFINED",
"modifiedVulnerableSystemIntegrity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"recovery": "NOT_DEFINED",
"safety": "NOT_DEFINED",
"subsequentSystemAvailability": "NONE",
"subsequentSystemConfidentiality": "NONE",
"subsequentSystemIntegrity": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnerabilityResponseEffort": "NOT_DEFINED",
"vulnerableSystemAvailability": "NONE",
"vulnerableSystemConfidentiality": "LOW",
"vulnerableSystemIntegrity": "LOW"
},
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
}
]
},
"published": "2024-10-29T16:15:04.947",
"references": [
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Product"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/featured"
},
{
"source": "responsible-disclosure@pingidentity.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/advisories/article/a63463303"
}
],
"sourceIdentifier": "responsible-disclosure@pingidentity.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "responsible-disclosure@pingidentity.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-19 22:15
Modified
2024-11-21 03:12
Severity ?
Summary
Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| forgerock | access_management | * | |
| forgerock | openam | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "31F2A6D9-D3BB-4D1D-BA49-D120B32EF6D7",
"versionEndIncluding": "5.1.1",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:openam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C991BD33-4EE1-4CD4-80EF-4F539F27E159",
"versionEndIncluding": "13.5.1",
"versionStartIncluding": "13.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user\u0027s browser via reflected XSS."
},
{
"lang": "es",
"value": "El servidor de autorizaci\u00f3n Auth versi\u00f3n 2.0 de ForgeRock Access Management (OpenAM) versi\u00f3n 13.5.0-13.5.1 y Access Management (AM) versi\u00f3n 5.0.0-5.1.1, no comprueba correctamente redirect_uri para algunas peticiones no v\u00e1lidas, lo que permite a los atacantes ejecutar un script en el navegador del usuario por medio de un XSS reflejado."
}
],
"id": "CVE-2017-14395",
"lastModified": "2024-11-21T03:12:41.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-19T22:15:13.673",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a45958025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a45958025"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-14 15:15
Modified
2024-11-21 07:20
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass. This issue affects Access Management: from 6.5.0 through 7.2.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| forgerock | access_management | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4AC241F8-7562-4EF8-9F10-A4E0FC698CD1",
"versionEndIncluding": "7.2.0",
"versionStartIncluding": "6.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass.\u00a0This issue affects Access Management: from 6.5.0 through 7.2.0."
}
],
"id": "CVE-2022-3748",
"lastModified": "2024-11-21T07:20:10.317",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "psirt@forgerock.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-14T15:15:07.413",
"references": [
{
"source": "psirt@forgerock.com",
"tags": [
"Permissions Required"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/all/productId:am"
},
{
"source": "psirt@forgerock.com",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a34332318"
},
{
"source": "psirt@forgerock.com",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a92134872"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/all/productId:am"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a34332318"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a92134872"
}
],
"sourceIdentifier": "psirt@forgerock.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "psirt@forgerock.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-21 00:29
Modified
2024-11-21 04:11
Severity ?
Summary
The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://backstage.forgerock.com/knowledge/kb/book/b21824339 | Vendor Advisory | |
| cve@mitre.org | https://hansesecure.de/vulnerability-in-am/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://backstage.forgerock.com/knowledge/kb/book/b21824339 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hansesecure.de/vulnerability-in-am/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| forgerock | access_management | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EBBE1789-2E45-40FC-9EFA-AE87C95ABCCD",
"versionEndExcluding": "5.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file."
},
{
"lang": "es",
"value": "Las API REST en ForgeRock AM, en versiones anteriores a la 5.5.0, incluyen ID SSOToken como parte de la URL. Esto permite que atacantes obtengan informaci\u00f3n sensible encontrando un valor de ID en un archivo de registro."
}
],
"id": "CVE-2018-7272",
"lastModified": "2024-11-21T04:11:54.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-21T00:29:00.270",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/book/b21824339"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://hansesecure.de/vulnerability-in-am/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/book/b21824339"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://hansesecure.de/vulnerability-in-am/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-25 21:15
Modified
2024-11-21 06:14
Severity ?
Summary
ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://backstage.forgerock.com/knowledge/kb/article/a55763454 | Vendor Advisory | |
| cve@mitre.org | https://www.forgerock.com/platform/access-management | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://backstage.forgerock.com/knowledge/kb/article/a55763454 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.forgerock.com/platform/access-management | Product, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| forgerock | access_management | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "129A5709-ECFD-48AC-9F15-545ABB53224E",
"versionEndExcluding": "7.0.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue."
},
{
"lang": "es",
"value": "ForgeRock Access Management (AM) versiones anteriores a 7.0.2, cuando est\u00e1 configurado con Active Directory como Almac\u00e9n de Identidades, presenta un problema de omisi\u00f3n de autenticaci\u00f3n."
}
],
"id": "CVE-2021-37153",
"lastModified": "2024-11-21T06:14:44.447",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-25T21:15:06.990",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a55763454"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.forgerock.com/platform/access-management"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a55763454"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://www.forgerock.com/platform/access-management"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-27 17:15
Modified
2024-11-21 06:50
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| forgerock | access_management | * | |
| forgerock | access_management | * | |
| forgerock | access_management | * | |
| forgerock | access_management | * | |
| forgerock | access_management | 6.5.1 | |
| forgerock | access_management | 6.5.3 | |
| forgerock | access_management | 6.5.4 | |
| forgerock | access_management | 7.1.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4162CDDD-B604-4B3C-AAA1-14D33FE1EF45",
"versionEndIncluding": "6.0.0.7",
"versionStartIncluding": "6.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D9D6502-4993-46CE-9FDC-71808D76C416",
"versionEndIncluding": "6.5.0.2",
"versionStartIncluding": "6.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C9AC242A-391E-463D-8C00-28CE22D6339E",
"versionEndIncluding": "6.5.2.3",
"versionStartIncluding": "6.5.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D66C82CB-63C8-4A3C-AD19-08CD666F8C9D",
"versionEndIncluding": "7.0.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E31AD7C7-9145-4EBC-A1A1-531B77BEFB0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F3D7F2DE-8E77-4268-9F8B-D95954A31140",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:6.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CB42E3-B330-4202-87A4-EC503D569C78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:access_management:7.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9725E909-8707-402E-939B-EC6FA6FA0984",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services."
},
{
"lang": "es",
"value": "Quiz\u00e1s sea posible obtener algunos detalles del despliegue mediante un ataque bien elaborado. Esto puede permitir que esos datos se utilicen para sondear los servicios de la red interna."
}
],
"id": "CVE-2022-24669",
"lastModified": "2024-11-21T06:50:49.810",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "psirt@forgerock.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-27T17:15:09.683",
"references": [
{
"source": "psirt@forgerock.com",
"tags": [
"Product"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/featured"
},
{
"source": "psirt@forgerock.com",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/featured"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"
}
],
"sourceIdentifier": "psirt@forgerock.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "psirt@forgerock.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-19 22:15
Modified
2024-11-21 03:12
Severity ?
Summary
OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| forgerock | access_management | * | |
| forgerock | openam | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:forgerock:access_management:*:*:*:*:*:*:*:*",
"matchCriteriaId": "31F2A6D9-D3BB-4D1D-BA49-D120B32EF6D7",
"versionEndIncluding": "5.1.1",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:forgerock:openam:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C991BD33-4EE1-4CD4-80EF-4F539F27E159",
"versionEndIncluding": "13.5.1",
"versionStartIncluding": "13.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect."
},
{
"lang": "es",
"value": "El servidor de autorizaci\u00f3n OAuth versi\u00f3n 2.0 de ForgeRock Access Management (OpenAM) versi\u00f3n 13.5.0-13.5.1 y Access Management (AM) versi\u00f3n 5.0.0-5.1.1, no comprueba correctamente redirect_uri para algunas peticiones no v\u00e1lidas, lo que permite a los atacantes realizar phishing por medio de un redireccionamiento no validado."
}
],
"id": "CVE-2017-14394",
"lastModified": "2024-11-21T03:12:41.500",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-19T22:15:13.593",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a45958025"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a45958025"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
cve-2021-37154
Vulnerability from cvelistv5
Published
2021-08-25 20:02
Modified
2024-08-04 01:16
Severity ?
EPSS score ?
Summary
In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.forgerock.com/platform/access-management | x_refsource_MISC | |
| https://backstage.forgerock.com/knowledge/kb/article/a55763454 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:03.158Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.forgerock.com/platform/access-management"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a55763454"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-25T20:02:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.forgerock.com/platform/access-management"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a55763454"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37154",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.forgerock.com/platform/access-management",
"refsource": "MISC",
"url": "https://www.forgerock.com/platform/access-management"
},
{
"name": "https://backstage.forgerock.com/knowledge/kb/article/a55763454",
"refsource": "CONFIRM",
"url": "https://backstage.forgerock.com/knowledge/kb/article/a55763454"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37154",
"datePublished": "2021-08-25T20:02:53",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:03.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14395
Vulnerability from cvelistv5
Published
2019-06-19 21:22
Modified
2024-08-05 19:27
Severity ?
EPSS score ?
Summary
Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS.
References
| ▼ | URL | Tags |
|---|---|---|
| https://backstage.forgerock.com/knowledge/kb/article/a45958025 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:27:40.077Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a45958025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-06-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user\u0027s browser via reflected XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-19T21:22:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a45958025"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14395",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user\u0027s browser via reflected XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://backstage.forgerock.com/knowledge/kb/article/a45958025",
"refsource": "MISC",
"url": "https://backstage.forgerock.com/knowledge/kb/article/a45958025"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14395",
"datePublished": "2019-06-19T21:22:29",
"dateReserved": "2017-09-12T00:00:00",
"dateUpdated": "2024-08-05T19:27:40.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14394
Vulnerability from cvelistv5
Published
2019-06-19 21:22
Modified
2024-08-05 19:27
Severity ?
EPSS score ?
Summary
OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect.
References
| ▼ | URL | Tags |
|---|---|---|
| https://backstage.forgerock.com/knowledge/kb/article/a45958025 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:27:40.465Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a45958025"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-06-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-19T21:22:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a45958025"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14394",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://backstage.forgerock.com/knowledge/kb/article/a45958025",
"refsource": "MISC",
"url": "https://backstage.forgerock.com/knowledge/kb/article/a45958025"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14394",
"datePublished": "2019-06-19T21:22:20",
"dateReserved": "2017-09-12T00:00:00",
"dateUpdated": "2024-08-05T19:27:40.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-25566
Vulnerability from cvelistv5
Published
2024-10-29 15:34
Modified
2024-10-29 19:58
Severity ?
EPSS score ?
Summary
An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Ping Identity | PingAM |
Version: 7.5.0 Version: 7.4.0 Version: 7.3.0 Version: 7.2.0 Version: 7.1.0 Version: 0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-29T19:58:14.725482Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T19:58:25.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "PingAM",
"vendor": "Ping Identity",
"versions": [
{
"status": "affected",
"version": "7.5.0",
"versionType": "major release"
},
{
"lessThanOrEqual": "7.4.1",
"status": "affected",
"version": "7.4.0",
"versionType": "maintenance release"
},
{
"lessThanOrEqual": "7.3.1",
"status": "affected",
"version": "7.3.0",
"versionType": "maintenance release"
},
{
"lessThanOrEqual": "7.2.2",
"status": "affected",
"version": "7.2.0",
"versionType": "maintenance release"
},
{
"lessThanOrEqual": "7.1.4",
"status": "affected",
"version": "7.1.0",
"versionType": "maintenance release"
},
{
"lessThanOrEqual": "7.0.2",
"status": "affected",
"version": "0",
"versionType": "maintenance release"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks"
}
],
"impacts": [
{
"capecId": "CAPEC-98",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-98 Phishing"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-29T15:34:53.358Z",
"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"shortName": "Ping Identity"
},
"references": [
{
"url": "https://backstage.forgerock.com/downloads/browse/am/featured"
},
{
"url": "https://backstage.forgerock.com/knowledge/advisories/article/a63463303"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Open Redirect in PingAM",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e",
"assignerShortName": "Ping Identity",
"cveId": "CVE-2024-25566",
"datePublished": "2024-10-29T15:34:53.358Z",
"dateReserved": "2024-02-29T23:52:30.493Z",
"dateUpdated": "2024-10-29T19:58:25.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24669
Vulnerability from cvelistv5
Published
2022-10-27 16:53
Modified
2024-09-16 22:25
Severity ?
EPSS score ?
Summary
It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ForgeRock | Access Management |
Version: unspecified < 6.5.5 Version: unspecified < 7.1.2 Version: unspecified < 7.2.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.811Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"
},
{
"tags": [
"x_transferred"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/featured"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Access Management",
"vendor": "ForgeRock",
"versions": [
{
"lessThan": "6.5.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "7.1.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "7.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-10-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-27T00:00:00",
"orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa",
"shortName": "ForgeRock"
},
"references": [
{
"url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"
},
{
"url": "https://backstage.forgerock.com/downloads/browse/am/featured"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to the latest versions."
}
],
"source": {
"advisory": "202204",
"defect": [
"https://bugster.forgerock.org/jira/browse/OPENAM-18367",
"(not",
"public)"
],
"discovery": "EXTERNAL"
},
"title": "Anonymous users can register / de-register for configuration change notifications",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa",
"assignerShortName": "ForgeRock",
"cveId": "CVE-2022-24669",
"datePublished": "2022-10-27T16:53:56.378684Z",
"dateReserved": "2022-02-08T00:00:00",
"dateUpdated": "2024-09-16T22:25:59.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-37153
Vulnerability from cvelistv5
Published
2021-08-25 20:05
Modified
2024-08-04 01:16
Severity ?
EPSS score ?
Summary
ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.forgerock.com/platform/access-management | x_refsource_MISC | |
| https://backstage.forgerock.com/knowledge/kb/article/a55763454 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T01:16:03.966Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.forgerock.com/platform/access-management"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a55763454"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-25T20:05:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.forgerock.com/platform/access-management"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a55763454"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-37153",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.forgerock.com/platform/access-management",
"refsource": "MISC",
"url": "https://www.forgerock.com/platform/access-management"
},
{
"name": "https://backstage.forgerock.com/knowledge/kb/article/a55763454",
"refsource": "CONFIRM",
"url": "https://backstage.forgerock.com/knowledge/kb/article/a55763454"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-37153",
"datePublished": "2021-08-25T20:05:54",
"dateReserved": "2021-07-21T00:00:00",
"dateUpdated": "2024-08-04T01:16:03.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-3748
Vulnerability from cvelistv5
Published
2023-04-14 14:06
Modified
2025-02-06 19:32
Severity ?
EPSS score ?
Summary
Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass. This issue affects Access Management: from 6.5.0 through 7.2.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://backstage.forgerock.com/knowledge/kb/article/a92134872 | vendor-advisory | |
| https://backstage.forgerock.com/knowledge/kb/article/a34332318 | vendor-advisory | |
| https://backstage.forgerock.com/downloads/browse/am/all/productId:am | product |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ForgeRock Inc. | Access Management |
Version: 6.5.0 ≤ 7.2.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T01:20:57.676Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a92134872"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a34332318"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/all/productId:am"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-3748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T19:32:08.402131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-06T19:32:17.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Access Management",
"vendor": "ForgeRock Inc.",
"versions": [
{
"lessThanOrEqual": "7.2.0",
"status": "affected",
"version": "6.5.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass.\u0026nbsp;\u003cspan style=\"background-color: var(--wht);\"\u003eThis issue affects Access Management: from 6.5.0 through 7.2.0.\u003c/span\u003e"
}
],
"value": "Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass.\u00a0This issue affects Access Management: from 6.5.0 through 7.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-14T15:57:03.114Z",
"orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa",
"shortName": "ForgeRock"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a92134872"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a34332318"
},
{
"tags": [
"product"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/all/productId:am"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper authorization that can lead to account impersonation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa",
"assignerShortName": "ForgeRock",
"cveId": "CVE-2022-3748",
"datePublished": "2023-04-14T14:06:30.571Z",
"dateReserved": "2022-10-28T15:07:25.617Z",
"dateUpdated": "2025-02-06T19:32:17.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-7272
Vulnerability from cvelistv5
Published
2018-02-21 00:00
Modified
2024-09-17 03:03
Severity ?
EPSS score ?
Summary
The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://backstage.forgerock.com/knowledge/kb/book/b21824339 | x_refsource_MISC | |
| https://hansesecure.de/vulnerability-in-am/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:11.701Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://backstage.forgerock.com/knowledge/kb/book/b21824339"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hansesecure.de/vulnerability-in-am/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-21T00:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://backstage.forgerock.com/knowledge/kb/book/b21824339"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hansesecure.de/vulnerability-in-am/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7272",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://backstage.forgerock.com/knowledge/kb/book/b21824339",
"refsource": "MISC",
"url": "https://backstage.forgerock.com/knowledge/kb/book/b21824339"
},
{
"name": "https://hansesecure.de/vulnerability-in-am/",
"refsource": "MISC",
"url": "https://hansesecure.de/vulnerability-in-am/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7272",
"datePublished": "2018-02-21T00:00:00Z",
"dateReserved": "2018-02-20T00:00:00Z",
"dateUpdated": "2024-09-17T03:03:02.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-4201
Vulnerability from cvelistv5
Published
2022-02-14 21:04
Modified
2024-09-16 16:43
Severity ?
EPSS score ?
Summary
Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions.
References
| ▼ | URL | Tags |
|---|---|---|
| https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0 | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ForgeRock | Access Management |
Version: 7.1 < 7.1.1 Version: 6.5 < 6.5.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Access Management",
"vendor": "ForgeRock",
"versions": [
{
"lessThan": "7.1.1",
"status": "affected",
"version": "7.1",
"versionType": "custom"
},
{
"lessThan": "6.5.4",
"status": "affected",
"version": "6.5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Escourbiac Maxime and Schmitt Maxence from Mitchelin CERT"
}
],
"datePublic": "2021-12-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-14T21:04:29",
"orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa",
"shortName": "ForgeRock"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed in AM 6.5.4, 7.1.1, and all later versions."
}
],
"source": {
"advisory": "202110-01",
"discovery": "EXTERNAL"
},
"title": "Pre-authentication session hijacking",
"workarounds": [
{
"lang": "en",
"value": "Block access to the following endpoints:\n/authservice\n/sessionservice\n/profileservice\n/policyservice\n/namingservice\n/loggingservice"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@forgerock.com",
"DATE_PUBLIC": "2021-12-07T12:00:00.000Z",
"ID": "CVE-2021-4201",
"STATE": "PUBLIC",
"TITLE": "Pre-authentication session hijacking"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Access Management",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "7.1",
"version_value": "7.1.1"
},
{
"version_affected": "\u003c",
"version_name": "6.5",
"version_value": "6.5.4"
}
]
}
}
]
},
"vendor_name": "ForgeRock"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Escourbiac Maxime and Schmitt Maxence from Mitchelin CERT"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0",
"refsource": "CONFIRM",
"url": "https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0"
}
]
},
"solution": [
{
"lang": "en",
"value": "This issue is fixed in AM 6.5.4, 7.1.1, and all later versions."
}
],
"source": {
"advisory": "202110-01",
"discovery": "EXTERNAL"
},
"work_around": [
{
"lang": "en",
"value": "Block access to the following endpoints:\n/authservice\n/sessionservice\n/profileservice\n/policyservice\n/namingservice\n/loggingservice"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa",
"assignerShortName": "ForgeRock",
"cveId": "CVE-2021-4201",
"datePublished": "2022-02-14T21:04:29.132483Z",
"dateReserved": "2022-01-06T00:00:00",
"dateUpdated": "2024-09-16T16:43:04.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24670
Vulnerability from cvelistv5
Published
2022-10-27 16:53
Modified
2024-09-16 18:08
Severity ?
EPSS score ?
Summary
An attacker can use the unrestricted LDAP queries to determine configuration entries
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ForgeRock | Access Management |
Version: unspecified < 6.5.5 Version: unspecified < 7.1.2 Version: unspecified < 7.2.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"
},
{
"tags": [
"x_transferred"
],
"url": "https://backstage.forgerock.com/downloads/browse/am/featured"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Access Management",
"vendor": "ForgeRock",
"versions": [
{
"lessThan": "6.5.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "7.1.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "7.2.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2022-10-20T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An attacker can use the unrestricted LDAP queries to determine configuration entries"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Information Exposure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-27T00:00:00",
"orgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa",
"shortName": "ForgeRock"
},
"references": [
{
"url": "https://backstage.forgerock.com/knowledge/kb/article/a90639318"
},
{
"url": "https://backstage.forgerock.com/downloads/browse/am/featured"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to the latest versions."
}
],
"source": {
"advisory": "202204",
"defect": [
"https://bugster.forgerock.org/jira/browse/OPENAM-18368",
"(not",
"public)"
],
"discovery": "EXTERNAL"
},
"title": "Any user can run unrestricted LDAP queries against a configuration endpoint",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "6b18ae97-0aab-4af2-9ba4-74b2b139ddfa",
"assignerShortName": "ForgeRock",
"cveId": "CVE-2022-24670",
"datePublished": "2022-10-27T16:53:00.019101Z",
"dateReserved": "2022-02-08T00:00:00",
"dateUpdated": "2024-09-16T18:08:57.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}