OpenAM 安全漏洞

OpenAM is an all-in-one access management solution organized by the OpenAM Consortium. It provides authentication, authorization, delegation and federation capabilities. A security vulnerability exists in OpenAM versions 14.0.0 through 14.0.1, which stems from a tampering request that could resul...

PT-2025-35534

Name of the Vulnerable Software and Affected Versions: OpenAM versions 14.0.0 through 14.0.1 Description: OpenAM OpenAM Consortium Edition may malfunction as a SAML Identity Provider IdP due to a tampered request. Recommendations: At the moment, there is no information about a newer version that...

📄 OpenAM Authentication Bypass

OpenAM versions prior to 14.6.6 proof of concept exploit. / | | |\ \ \ / / \ \ / | | | | / \ / / \ \ \ / / | | \ | Y | | \ / | | / // || \ || || / // || / / / Name: watchtowr-vs-openamauth-impersonation2022-06-16.py Author: Aliz Hammond import json import re import textwrap import...

CVE-2023-22320

OpenAM Web Policy Agent OpenAM Consortium Edition provided by OpenAM Consortium parses URLs improperly, leading to a path traversal vulnerabilityCWE-22. Furthermore, a crafted URL may be evaluated incorrectly...

CVE-2022-34298

The NT auth module in OpenAM before 14.6.6 allows a "replace Samba username attack."...

CVE-2021-29156

ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key...

CVE-2024-41667

OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to...

The vulnerability of the getCustomLoginUrlTemplate method of the OpenAM access and rights management software allows a perpetrator to execute arbitrary code.

The vulnerability of the getCustomLoginUrlTemplate method in the OpenAM access and rights management software is related to improper code generation. Exploiting this vulnerability could allow a remote attacker to execute arbitrary code...

OpenAM FreeMarker template injection

OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to...

GHSA-7726-43HG-M23V OpenAM FreeMarker template injection

OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to...

Template Injection

org.openidentityplatform.openam, openam-oauth2 is vulnerable to Template Injection. The vulnerability is due to improper template restrictions in the getCustomLoginUrlTemplate function within RealmOAuth2ProviderSettings.java, allowing attackers to inject and execute arbitrary code via the...

CVE-2024-41667

OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to...

CVE-2024-41667 OpenAM FreeMarker template injection

OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to...

CVE-2024-41667 OpenAM FreeMarker template injection

OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to...

CVE-2024-41667 OpenAM FreeMarker template injection

OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input. Although the developer intended to implement a custom URL for handling login to...

CVE-2024-41667

OpenAM

PT-2024-5297 · Openiam · Openam

Name of the Vulnerable Software and Affected Versions: OpenAM versions 15.0.3 and prior Description: The issue is related to the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java, which is vulnerable to template injection due to its usage of user input. This vulnerability allow...

OpenAM 安全漏洞

OpenAM is an all-in-one access management solution organized by the OpenAM Consortium. It provides authentication, authorization, delegation and federation capabilities. A security vulnerability exists in OpenAM version 15.0.3 and earlier versions, which stems from vulnerability to template...

com.srcclr:srcclr-maven-plugin (>=3.1.23 <=3.1.25), org.keycloak:keycloak-crypto-fips1402 (>=19.0.0 <=25.0.6) +17 more potentially affected by CVE-2024-30171 via org.bouncycastle:bctls-fips (>=1.0.12.2 <=1.0.18)

org.bouncycastle:bctls-fips MAVEN version =1.0.12.2, =3.1.23, =19.0.0, =14.7.0.0, =4.5.1, =4.5.1, =4.5.1, =4.5.1, =4.5.1, =4.5.1, =4.5.1, =4.5.1, =4.5.1, =4.5.1, =4.5.1, =4.5.1, =4.6.3 and more Source cves: CVE-2024-30171 Source advisory:...

User Impersonation

openam-federation-library is vulnerable to User Impersonation. The vulnerability exists because the processResponse function of SAMLUtils.java does not properly validate the signature of a SAML responses received as part of the SAMLv1.x Single Sign-On process, which allows an attacker to exploit...