← back
CVE-2021-35464

CVE-2021-35464

CVSS 9.8 CRITICALEPSS 100.0%● KEVCWE-502
In short

ForgeRock AM servers before version 7.0 contain a critical flaw that allows attackers to execute malicious code remotely without needing a password. An attacker can exploit this by sending a specially crafted request to the server, taking advantage of how the application processes Java data.

Technical detail

Java deserialization vulnerability in the jato.pageSession parameter across multiple endpoints, exploitable via unauthenticated /ccversion/* requests. The vulnerability stems from unsafe deserialization in Sun ONE Application Framework (JATO) on Java 8 and earlier versions, allowing remote code execution without authentication.

Summary generated and translated by AI from the official description.
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found5
githubgithub.com/Y4er/openam-CVE-2021-3546487githubgithub.com/rood8008/CVE-2021-354640cve_referencepacketstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.htmlunverifiedcve_referencepacketstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/50131unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.htmlhttp://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.htmlhttps://backstage.forgerock.com/knowledge/kb/article/a47894244https://bugster.forgerock.orghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35464