CVE-2021-35464 – ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-35464
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier El servidor ForgeRock AM anterior a la versión 7.0 tiene una vulnerabilidad de deserialización de Java en el parámetro jato.pageSession en varias páginas. La explotación no requiere autenticación, y la ejecución remota de código se puede desencadenar mediante el envío de una única solicitud /ccversion/* manipulada al servidor. La vulnerabilidad existe debido al uso de Sun ONE Application Framework (JATO) que se encuentra en las versiones de Java 8 o anteriores ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend). • https://www.exploit-db.com/exploits/50131 https://github.com/Y4er/openam-CVE-2021-35464 https://github.com/rood8008/CVE-2021-35464 http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html https://backstage.forgerock.com/knowledge/kb/article/a47894244 https://bugster.forgerock.org https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 • CWE-502: Deserialization of Untrusted Data •
CVE-2021-29156 – OpenAM 13.0 - LDAP Injection
https://notcve.org/view.php?id=CVE-2021-29156
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key. ForgeRock OpenAM versiones anteriores a 13.5.1, permite la inyección LDAP por medio del protocolo Webfinger. Por ejemplo, un atacante no autenticado puede llevar a cabo la recuperación de caracteres del hash de contraseña, o recuperar un token de sesión o una clave privada • https://www.exploit-db.com/exploits/50480 https://github.com/guidepointsecurity/CVE-2021-29156 https://github.com/5amu/CVE-2021-29156 https://bugster.forgerock.org/jira/browse/OPENAM-10135 https://portswigger.net/research/hidden-oauth-attack-vectors • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2017-14395
https://notcve.org/view.php?id=CVE-2017-14395
Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS. El servidor de autorización Auth versión 2.0 de ForgeRock Access Management (OpenAM) versión 13.5.0-13.5.1 y Access Management (AM) versión 5.0.0-5.1.1, no comprueba correctamente redirect_uri para algunas peticiones no válidas, lo que permite a los atacantes ejecutar un script en el navegador del usuario por medio de un XSS reflejado. • https://backstage.forgerock.com/knowledge/kb/article/a45958025 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-14394
https://notcve.org/view.php?id=CVE-2017-14394
OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect. El servidor de autorización OAuth versión 2.0 de ForgeRock Access Management (OpenAM) versión 13.5.0-13.5.1 y Access Management (AM) versión 5.0.0-5.1.1, no comprueba correctamente redirect_uri para algunas peticiones no válidas, lo que permite a los atacantes realizar phishing por medio de un redireccionamiento no validado. • https://backstage.forgerock.com/knowledge/kb/article/a45958025 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVE-2018-0696
https://notcve.org/view.php?id=CVE-2018-0696
OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors. OpenAM (Open Source Edition), en versiones 13.0 y siguientes, no gestiona las sesiones correctamente, lo que permite que los atacantes autenticados remotos cambien las preguntas de seguridad y restablezcan la contraseña de inicio de sesión mediante vectores sin especificar. • http://jvn.jp/en/jp/JVN49995005/index.html https://www.cs.themistruct.com/report/wam20181012 https://www.osstech.co.jp/support/am2018-4-1-en • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •