Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2021-35464

Published: 22/07/2021 Updated: 02/08/2021
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 890
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Forgerock

Vulnerability Summary

ForgeRock AM server prior to 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

forgerock am

forgerock openam

Exploits

Exploit DB: ForgeRock Access Manager/OpenAM 14.6.3 Remote Code Execution
ForgeRock Access Manager/OpenAM version 1463 unauthenticated remote code execution exploit ...
Exploit DB: ForgeRock / OpenAM Jato Java Deserialization
This Metasploit module leverages a pre-authentication remote code execution vulnerability in the OpenAM identity and access management solution The vulnerability arises from a Java deserialization flaw in OpenAM's implementation of the Jato framework and can be triggered by a simple one-line GET or POST request to a vulnerable endpoint Successful ...

Github Repositories

https://github.com/Y4er/openam-CVE-2021-35464

openam-CVE-2021-35464 tomcat 执行命令回显

openam CVE-2021-35464 tomcat 执行命令回显 项目基于 ysoserial 和 Java-Rce-Echo 构建项目需要在依赖中加入ysoserialjar和jato-1463jar POST /OpenAM/ccversion/Version HTTP/11 Host: phplocal:8081 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/50 (Windows NT 100; Win64; x64) AppleWebKit/53736 (KHTML, like Gecko) Chrome/9104472124 Safari/53736 Acc

References

CWE-502http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.htmlhttp://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.htmlhttps://bugster.forgerock.orghttps://backstage.forgerock.com/knowledge/kb/article/a47894244https://nvd.nist.govhttps://github.com/Y4er/openam-CVE-2021-35464https://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
race conditionCVE-2024-4249CVE-2024-4244CVE-2023-20198TCPCVE-2022-48648CVE-2022-48636CVE-2024-21345SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook