ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HForgerock Access Management
APPForgerock< 6.5.4Forgerock Openam
APPForgerock9.0.0 – 14.6.3 (bez)
CISA KEV — detailsi
- Vendori
- ForgeRock
- Producti
- Access Management (AM)
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- November 17, 2021(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply updates per vendor instructions.
ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend).
Related vulnerabilities
Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass. This is...
Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remot...
In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially e...
ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, ha...
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ForgeRock Acce...