CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2021-35464

CVSS 9.8v3.1pub. 2021-07-22upd. 2025-11-05

ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Forgerock Access Management

    APP
    Forgerock
    < 6.5.4
  • Forgerock Openam

    APP
    Forgerock
    9.0.0 – 14.6.3 (bez)

CISA KEV — detailsi

Vendori
ForgeRock
Producti
Access Management (AM)
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
November 17, 2021(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend).

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 17 listopada 2021
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2022-3748CRITICAL9.8ten sam produkt

Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass. This is...

CVE-2021-4201CRITICAL9.6ten sam produkt

Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remot...

CVE-2021-37154CRITICAL9.8ten sam produkt

In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially e...

CVE-2021-37153CRITICAL9.8ten sam produkt

ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, ha...

CVE-2023-0582HIGH8.1ten sam produkt

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ForgeRock Acce...