Openidentityplatform Openam

OpenAM <16.0.0 OIDC Claims Injection via groovy script
CVE-2025-64099 - November 12, 2025

Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the "claims_parameter_supported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the id_token or in the user_info. In the request of an authorize function, a claims parameter containing a JSON file can be injected. This JSON file allows attackers to customize the claims returned by the "id_token" and "user_info" files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, an attacker can choose the email address they want, and therefore assume any identity they choose. Version 16.0.0 fixes the issue.

Injection

OpenAM SAMLPOSTProfileServlet Signature Validation Flaw (v < 14.7.3)
CVE-2023-37471 9.8 - Critical - July 20, 2023

Open Access Management (OpenAM) is an access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security. OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet. This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later. User unable to upgrade should comment servlet `SAMLPOSTProfileServlet` from their pom file. See the linked GHSA for details.

authentification

The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack
CVE-2022-34298 5.3 - Medium - June 23, 2022

The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack."