QID 731203

Date Published: 2024-02-26

QID 731203: ForgeRock OpenAM LDAP Injection Vulnerability

ForgeRock OpenAM is an open-source access management, entitlements and federation server platform.

ForgeRock OpenAM contains a vulnerability in the Webfinger protocol implementation allowing unauthenticated, remote attackers to retrieve password hashes, session tokens or a private key via the password reset feature.

Affected Versions:
ForgeRock OpenAM prior to 13.5.1

QID Detection Logic:
This unauthenticated QID detects vulnerable versions of ForgeRock OpenAM based on the self reported version string via the HTTP source code.

NOTE: OpenAM is now being developed by OpenIdentityPlatform and not ForgeRock.

Successful exploitation allows an unauthenticated, remote attacker to retrieve password hashes, session tokens or a private key via the password reset feature by conducting LDAP injection.

CVSS V3 rated as High - 7.5 severity.

CVSS V2 rated as Medium - 5 severity.

Solution

Customers are advised to upgrade to versions that superceed OpenAM 13.5.1.

Vendor References

OPENAM-10135 - bugster.forgerock.org/jira/browse/OPENAM-10135

CVEs related to QID 731203

CVE-2021-29156 |

Software Advisories

Advisory ID	Software	Component	Link
OpenAM 13.5.1 and later			github.com/OpenIdentityPlatform/OpenAM/releases

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].