Forgerock Forgerock

  1. Vendors
  2. Forgerock
Do you want an email whenever new security vulnerabilities are reported in any Forgerock product?

Products by Forgerock Sorted by Most Security Vulnerabilities since 2018

Forgerock Access Management7 vulnerabilities

Forgerock Ldap Connector2 vulnerabilities

Forgerock Openam2 vulnerabilities

Forgerock Am1 vulnerability

Forgerock Java Policy Agents1 vulnerability

Forgerock Service Broker1 vulnerability

Forgerock Web Policy Agents1 vulnerability

Known Exploited Forgerock Vulnerabilities

The following Forgerock vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
ForgeRock Access Management Remote Code Execution Vulnerability ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. CVE-2021-35464 November 3, 2021

By the Year

In 2024 there have been 0 vulnerabilities in Forgerock . Last year Forgerock had 4 security vulnerabilities published. Right now, Forgerock is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 4 9.23
2022 4 8.15
2021 4 9.23
2020 0 0.00
2019 1 7.80
2018 1 6.50

It may take a day or so for new Forgerock vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Forgerock Security Vulnerabilities

Improper Authorization vulnerability in ForgeRock Inc

CVE-2022-3748 9.8 - Critical - April 14, 2023

Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass.This issue affects Access Management: from 6.5.0 through 7.2.0.

Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc

CVE-2023-1656 7.5 - High - March 29, 2023

Cleartext Transmission of Sensitive Information vulnerability in ForgeRock Inc. OpenIDM and Java Remote Connector Server (RCS) LDAP Connector on Windows, MacOS, Linux allows Remote Services with Stolen Credentials.This issue affects OpenIDM and Java Remote Connector Server (RCS): from 1.5.20.9 through 1.5.20.13.

Cleartext Transmission of Sensitive Information

Relative Path Traversal vulnerability in ForgeRock Access Management Java Policy Agent allows Authentication Bypass

CVE-2023-0511 9.8 - Critical - February 28, 2023

Relative Path Traversal vulnerability in ForgeRock Access Management Java Policy Agent allows Authentication Bypass. This issue affects Access Management Java Policy Agent: all versions up to 5.10.1

Directory traversal

Relative Path Traversal vulnerability in ForgeRock Access Management Web Policy Agent allows Authentication Bypass

CVE-2023-0339 9.8 - Critical - February 28, 2023

Relative Path Traversal vulnerability in ForgeRock Access Management Web Policy Agent allows Authentication Bypass. This issue affects Access Management Web Policy Agent: all versions up to 5.10.1

Directory traversal

An attacker can use the unrestricted LDAP queries to determine configuration entries

CVE-2022-24670 6.5 - Medium - October 27, 2022

An attacker can use the unrestricted LDAP queries to determine configuration entries

It may be possible to gain some details of the deployment through a well-crafted attack

CVE-2022-24669 6.5 - Medium - October 27, 2022

It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services.

AuthZ

When the LDAP connector is started with StartTLS configured, unauthenticated access is granted

CVE-2022-0143 9.8 - Critical - September 19, 2022

When the LDAP connector is started with StartTLS configured, unauthenticated access is granted. This issue affects: all versions of the LDAP connector prior to 1.5.20.9. The LDAP connector is bundled with Identity Management (IDM) and Remote Connector Server (RCS)

AuthZ

Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms

CVE-2021-4201 9.8 - Critical - February 14, 2022

Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions.

authentification

ForgeRock Access Management (AM) before 7.0.2

CVE-2021-37153 9.8 - Critical - August 25, 2021

ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue.

In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation

CVE-2021-37154 9.8 - Critical - August 25, 2021

In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion.

aka Blind XPath Injection

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages

CVE-2021-35464 9.8 - Critical - July 22, 2021

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Marshaling, Unmarshaling

ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol

CVE-2021-29156 7.5 - High - March 25, 2021

ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key.

Injection

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag

CVE-2019-3800 7.8 - High - August 05, 2019

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials.

Information Disclosure

The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which

CVE-2018-7272 6.5 - Medium - February 21, 2018

The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file.

Information Disclosure

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.