CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-0582 – Path Traversal in ForgeRock Access Managment
https://notcve.org/view.php?id=CVE-2023-0582
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ForgeRock Access Management allows Authorization Bypass. This issue affects access management: before 7.3.0, before 7.2.1, before 7.1.4, through 7.0.2. La limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en ForgeRock Access Management permite eludir la autorización. Este problema afecta la gestión de acceso: antes de 7.3.0, antes de 7.2.1, antes de 7.1.4, hasta 7.0.2. • https://backstage.forgerock.com/downloads/browse/am/featured https://backstage.forgerock.com/knowledge/kb/article/a64088600 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3748 – Improper authorization that can lead to account impersonation
https://notcve.org/view.php?id=CVE-2022-3748
Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass. This issue affects Access Management: from 6.5.0 through 7.2.0. • https://backstage.forgerock.com/downloads/browse/am/all/productId:am https://backstage.forgerock.com/knowledge/kb/article/a34332318 https://backstage.forgerock.com/knowledge/kb/article/a92134872 • CWE-285: Improper Authorization •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-24669 – Anonymous users can register / de-register for configuration change notifications
https://notcve.org/view.php?id=CVE-2022-24669
It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services. Quizás sea posible obtener algunos detalles del despliegue mediante un ataque bien elaborado. Esto puede permitir que esos datos se utilicen para sondear los servicios de la red interna. • https://backstage.forgerock.com/downloads/browse/am/featured https://backstage.forgerock.com/knowledge/kb/article/a90639318 • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-24670 – Any user can run unrestricted LDAP queries against a configuration endpoint
https://notcve.org/view.php?id=CVE-2022-24670
An attacker can use the unrestricted LDAP queries to determine configuration entries Un atacante puede utilizar las consultas LDAP sin restricciones para determinar las entradas de configuración. • https://backstage.forgerock.com/downloads/browse/am/featured https://backstage.forgerock.com/knowledge/kb/article/a90639318 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-4201 – Pre-authentication session hijacking
https://notcve.org/view.php?id=CVE-2021-4201
Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions. Una falta de control de acceso en ForgeRock Access Management versión 7.1.0 y versiones anteriores, en todas las plataformas permite a atacantes remotos no autenticados secuestrar sesiones, incluyendo potencialmente sesiones a nivel de administrador. Este problema afecta a: ForgeRock Access Management versiones 7.1 anteriores a 7.1.1; versiones 6.5 anteriores a 6.5.4; todas las versiones anteriores • https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0 • CWE-284: Improper Access Control CWE-287: Improper Authentication •