Detections
Analytics
ForgeRock Access Management 6.0.0.x / 6.5.0.x / 6.5.2.x / 6.5.3 / 6.5.4 / 7.0.x / 7.1 / 7.1.1 Multiple Vulnerabilities
medium Nessus Plugin ID 173708
Synopsis
ForgeRock Access Management is affected by multiple vulnerabilities.Description
The version of ForgeRock Access Management detected on the remote host is affected by multiple vulnerabilities, including the following:- It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services. (CVE-2022-24669)
- An attacker can use the unrestricted LDAP queries to determine configuration entries (CVE-2022-24670)
- A cross site scripting (XSS) vulnerability which could lead to session hijacking or phishing.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to ForgeRock Access Management version 6.5.5, 7.1.2, 7.2 or later, or apply a patch or workaround.See Also
https://backstage.forgerock.com/knowledge/kb/article/a90639318#3M7t8j
Plugin Details
Severity: Medium
ID: 173708
File Name: forgerock_openam_7_2.nasl
Version: 1.2
Type: remote
Family: CGI abuses
Published: 3/30/2023
Updated: 3/31/2023
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N
CVSS Score Source: CVE-2022-24670
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Temporal Score: 5.7
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:forgerock:access_management, cpe:/a:forgerock:openam
Required KB Items: installed_sw/ForgeRock Access Management
Exploit Ease: No known exploits are available
Patch Publication Date: 10/27/2022
Vulnerability Publication Date: 10/27/2022
Reference Information
CVE: CVE-2022-24669, CVE-2022-24670
IAVA: 2023-A-0159