CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-24669 – Anonymous users can register / de-register for configuration change notifications
https://notcve.org/view.php?id=CVE-2022-24669
It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services. Quizás sea posible obtener algunos detalles del despliegue mediante un ataque bien elaborado. Esto puede permitir que esos datos se utilicen para sondear los servicios de la red interna. • https://backstage.forgerock.com/downloads/browse/am/featured https://backstage.forgerock.com/knowledge/kb/article/a90639318 • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-24670 – Any user can run unrestricted LDAP queries against a configuration endpoint
https://notcve.org/view.php?id=CVE-2022-24670
An attacker can use the unrestricted LDAP queries to determine configuration entries Un atacante puede utilizar las consultas LDAP sin restricciones para determinar las entradas de configuración. • https://backstage.forgerock.com/downloads/browse/am/featured https://backstage.forgerock.com/knowledge/kb/article/a90639318 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-0143 – LDAP Connector: When startTLS is used then LDAP connector ignores the wrong password
https://notcve.org/view.php?id=CVE-2022-0143
When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS) Cuando el conector LDAP es iniciado con StartTLS configurado, es concedido acceso no autenticado. Este problema afecta a: todas las versiones del conector LDAP anteriores a 1.5.20.9. El conector LDAP es incluido con Identity Management (IDM) y Remote Connector Server (RCS) • https://backstage.forgerock.com/downloads/browse/idm/featured/connectors https://backstage.forgerock.com/knowledge/kb/article/a11380515 • CWE-284: Improper Access Control CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-4201 – Pre-authentication session hijacking
https://notcve.org/view.php?id=CVE-2021-4201
Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions. Una falta de control de acceso en ForgeRock Access Management versión 7.1.0 y versiones anteriores, en todas las plataformas permite a atacantes remotos no autenticados secuestrar sesiones, incluyendo potencialmente sesiones a nivel de administrador. Este problema afecta a: ForgeRock Access Management versiones 7.1 anteriores a 7.1.1; versiones 6.5 anteriores a 6.5.4; todas las versiones anteriores • https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0 • CWE-284: Improper Access Control CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37153
https://notcve.org/view.php?id=CVE-2021-37153
ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue. ForgeRock Access Management (AM) versiones anteriores a 7.0.2, cuando está configurado con Active Directory como Almacén de Identidades, presenta un problema de omisión de autenticación. • https://backstage.forgerock.com/knowledge/kb/article/a55763454 https://www.forgerock.com/platform/access-management •