Forgerock
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Forgerock product.
RSS Feeds for Forgerock security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Forgerock products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Forgerock Sorted by Most Security Vulnerabilities since 2018
Known Exploited Forgerock Vulnerabilities
The following Forgerock vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| ForgeRock Access Management Remote Code Execution Vulnerability |
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. CVE-2021-35464 Exploit Probability: 94.4% |
November 3, 2021 |
The vulnerability CVE-2021-35464: ForgeRock Access Management Remote Code Execution Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
By the Year
In 2026 there have been 0 vulnerabilities in Forgerock. Forgerock did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 2 | 7.95 |
| 2023 | 4 | 9.23 |
| 2022 | 4 | 8.15 |
| 2021 | 4 | 9.23 |
| 2020 | 0 | 0.00 |
| 2019 | 1 | 7.80 |
| 2018 | 1 | 0.00 |
It may take a day or so for new Forgerock vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Forgerock Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2024-25566 | Oct 29, 2024 |
Ping Access Open-Redirect via Improper URL Validation (CVE-2024-25566)An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks |
Access Management
|
| CVE-2023-0582 | Mar 27, 2024 |
ForgeRock AM Path Traversal: Auth Bypass (7.2.1)Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ForgeRock Access Management allows Authorization Bypass. This issue affects access management: before 7.3.0, before 7.2.1, before 7.1.4, through 7.0.2. |
Access Management
|
| CVE-2022-3748 | Apr 14, 2023 |
Auth Bypass in ForgeRock Access Management 6.5.0-7.2.0Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass.This issue affects Access Management: from 6.5.0 through 7.2.0. |
Access Management
|
| CVE-2023-1656 | Mar 29, 2023 |
Cleartext Credentials in ForgeRock OpenIDM & RCS 1.5.20.9-1.5.20.13Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13. |
Ldap Connector
|
| CVE-2023-0511 | Feb 28, 2023 |
ForgeRock AM Policy Agent 5.10.1: Path Traversal Auth BypassRelative Path Traversal vulnerability in ForgeRock Access Management Java Policy Agent allows Authentication Bypass. This issue affects Access Management Java Policy Agent: all versions up to 5.10.1 |
Java Policy Agents
|
| CVE-2023-0339 | Feb 28, 2023 |
ForgeRock AM WPKG Agent Path Traversal (5.10.1) Auth BypassRelative Path Traversal vulnerability in ForgeRock Access Management Web Policy Agent allows Authentication Bypass. This issue affects Access Management Web Policy Agent: all versions up to 5.10.1 |
Web Policy Agents
|
| CVE-2022-24670 | Oct 27, 2022 |
OpenLDAP Unrestricted LDAP Queries for Config Entries - CVE-2022-24670An attacker can use the unrestricted LDAP queries to determine configuration entries |
Access Management
|
| CVE-2022-24669 | Oct 27, 2022 |
Jenkins Depl. Info Disclosure Enables Probe of Internal NetworkIt may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services. |
Access Management
|
| CVE-2022-0143 | Sep 19, 2022 |
WSO2 IDM LDAP Connector Unauthenticated Access via StartTLS <1.5.20.9When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS) |
Ldap Connector
|
| CVE-2021-4201 | Feb 14, 2022 |
Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platformsMissing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions. |
Access Management
|
| CVE-2021-37153 | Aug 25, 2021 |
ForgeRock Access Management (AM) before 7.0.2ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue. |
Access Management
|
| CVE-2021-37154 | Aug 25, 2021 |
In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementationIn ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion. |
Access Management
|
| CVE-2021-35464 | Jul 22, 2021 |
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pagesForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier |
Am
Openam
Access Management
And others... |
| CVE-2021-29156 | Mar 25, 2021 |
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocolForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key. |
Openam
|
| CVE-2019-3800 | Aug 05, 2019 |
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flagCF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials. |
Service Broker
|
| CVE-2018-7272 | Feb 21, 2018 |
The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, whichThe REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file. |
Access Management
|