Vulnerability CVE-2021-35464


Published: 2021-07-22

Description:
ForgeRock AM server 6.x before 7, and OpenAM 14.6.3, has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/Version request to the server. The vulnerability exists due to incorrect usage of Sun ONE Application Framework (JATO).

See advisories in our WLB2 database:
Topic
Author
Date
High
ForgeRock Access Manager/OpenAM 14.6.3 Remote Code Execution
Photubias
16.07.2021

 References:
http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html
http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html
https://bugster.forgerock.org

Copyright 2021, cxsecurity.com

 

Back to Top