CyberSec.Space Logo
Back to CVE Browser

CVE-2021-35464

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score40.3050%
EPSS Percentile93.71th
PublishedJul 22, 2021
Last ModifiedNov 5, 2025

Vulnerability Description

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Affected Platforms (CPE)

πŸ“¦
Forgerock

Access Management

< 6.5.4
πŸ“¦
Forgerock

Openam

>= 9.0.0 and < 14.6.3

References & Advisories

πŸ”— http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html
πŸ”— http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html
πŸ”— https://backstage.forgerock.com/knowledge/kb/article/a47894244
πŸ”— https://bugster.forgerock.org
πŸ”— http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html
πŸ”— http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html
πŸ”— https://backstage.forgerock.com/knowledge/kb/article/a47894244
πŸ”— https://bugster.forgerock.org

Related Vulnerabilities

CVE-2019-1665010.0

On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same ...

CVE-2019-1744010.0

Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Manage...

CVE-2019-954810.0

Citrix Application Delivery Management (ADM) 12.1.x before 12.1.50.33 has Incorrect Access Control.

CVE-2020-1184410.0

Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: - Hybrid Cloud Ma...