CVE-2021-35464

high-risk
Published 2021-07-22

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

Do I need to act?

!
94.4% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
1 public exploit available
50131
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Access Management

Affected Vendors

Forgerock

References (9)

Exploit http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deseriali...
Exploit http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6...
Exploit https://backstage.forgerock.com/knowledge/kb/article/a47894244
Broken Link https://bugster.forgerock.org
Exploit http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deseriali...
Exploit http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6...
Exploit https://backstage.forgerock.com/knowledge/kb/article/a47894244
Broken Link https://bugster.forgerock.org
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-...
66
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 27/34 · High
Exposure 7/34 · Low