CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41667 – OpenAM FreeMarker template injection
https://notcve.org/view.php?id=CVE-2024-41667
OpenAM is an open access management solution. In versions 15.0.3 and prior, the `getCustomLoginUrlTemplate` method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to override the default PingOne Advanced Identity Cloud login page,they did not restrict the `CustomLoginUrlTemplate`, allowing it to be set freely. Commit fcb8432aa77d5b2e147624fe954cb150c568e0b8 introduces `TemplateClassResolver.SAFER_RESOLVER` to disable the resolution of commonly exploited classes in FreeMarker template injection. As of time of publication, this fix is expected to be part of version 15.0.4. • https://github.com/OpenIdentityPlatform/OpenAM/commit/fcb8432aa77d5b2e147624fe954cb150c568e0b8 https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-7726-43hg-m23v • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37471 – User impersonation using SAMLv1.x SSO in Open Access Management
https://notcve.org/view.php?id=CVE-2023-37471
Open Access Management (OpenAM) is an access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security. OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet. This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later. User unable to upgrade should comment servlet `SAMLPOSTProfileServlet` from their pom file. • https://github.com/OpenIdentityPlatform/OpenAM/commit/7c18543d126e8a567b83bb4535631825aaa9d742 https://github.com/OpenIdentityPlatform/OpenAM/pull/624 https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4mh8-9wq6-rjxg • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-34298
https://notcve.org/view.php?id=CVE-2022-34298
The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack." El módulo NT auth en OpenAM versiones anteriores a 14.6.6, permite un "ataque de reemplazo de nombre de usuario Samba" • https://github.com/watchtowrlabs/CVE-2022-34298 https://github.com/OpenIdentityPlatform/OpenAM/compare/14.6.5...14.6.6 https://github.com/OpenIdentityPlatform/OpenAM/pull/514 https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/14.6.6 •
CVSS: 10.0EPSS: 97%CPEs: 2EXPL: 6CVE-2021-35464 – ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-35464
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier El servidor ForgeRock AM anterior a la versión 7.0 tiene una vulnerabilidad de deserialización de Java en el parámetro jato.pageSession en varias páginas. La explotación no requiere autenticación, y la ejecución remota de código se puede desencadenar mediante el envío de una única solicitud /ccversion/* manipulada al servidor. La vulnerabilidad existe debido al uso de Sun ONE Application Framework (JATO) que se encuentra en las versiones de Java 8 o anteriores ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend). • https://www.exploit-db.com/exploits/50131 https://github.com/Y4er/openam-CVE-2021-35464 https://github.com/rood8008/CVE-2021-35464 http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html https://backstage.forgerock.com/knowledge/kb/article/a47894244 https://bugster.forgerock.org https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 44%CPEs: 1EXPL: 5CVE-2021-29156 – OpenAM 13.0 - LDAP Injection
https://notcve.org/view.php?id=CVE-2021-29156
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key. ForgeRock OpenAM versiones anteriores a 13.5.1, permite la inyección LDAP por medio del protocolo Webfinger. Por ejemplo, un atacante no autenticado puede llevar a cabo la recuperación de caracteres del hash de contraseña, o recuperar un token de sesión o una clave privada • https://www.exploit-db.com/exploits/50480 https://github.com/guidepointsecurity/CVE-2021-29156 https://github.com/5amu/CVE-2021-29156 https://bugster.forgerock.org/jira/browse/OPENAM-10135 https://portswigger.net/research/hidden-oauth-attack-vectors • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •