返回 CVE 瀏覽器

CVE-2021-35464

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score40.3050%

EPSS Percentile93.71th

Published2021年7月22日

Last Modified2025年11月5日

Vulnerability Description

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Affected Platforms (CPE)

📦

Forgerock

Access Management

< 6.5.4

📦

Forgerock

Openam

>= 9.0.0 and < 14.6.3

References & Advisories

🔗 http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html

🔗 http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html

🔗 https://backstage.forgerock.com/knowledge/kb/article/a47894244

🔗 https://bugster.forgerock.org

🔗 http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html

🔗 http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html

🔗 https://backstage.forgerock.com/knowledge/kb/article/a47894244

🔗 https://bugster.forgerock.org

相關漏洞威脅

CVE-2019-1665010.0

On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same ...

CVE-2019-1744010.0

Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Manage...

CVE-2019-954810.0

Citrix Application Delivery Management (ADM) 12.1.x before 12.1.50.33 has Incorrect Access Control.

CVE-2020-1184410.0

Incorrect Authorization vulnerability in Micro Focus Container Deployment Foundation component affects products: - Hybrid Cloud Ma...