HomePentest-Tools.com Logo

ForgeRock OpenAM <7.0 - Remote Code Execution CVE-2021-35464

Severity
CVSSv3 Score
9.8
Vulnerability description

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages.\nThe exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted\n/ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO)\nfound in versions of Java 8 or earlier.\n

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the server to steal confidential information, install ransomware, or pivot to the internal network.

Recommendation

Upgrade ForgeRock OpenAM to version 7.0 or later to mitigate this vulnerability.

Codename
Not available
Detectable with
Network Scanner
Scan engine
Nuclei
Exploitable with Sniper
No
CVE Published
Jul 22, 2021
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available