GCVE - cpe:2.3:a:forgerock:openam:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:forgerock:openam:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Forgerock (`62f6869f-1355-5abb-ba20-0a0692140c41`)
Product	Openam (`bd9cbf1a-8483-51e9-be82-57ae44a315c3`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:docker/openidentityplatform/openam`	purl2cpe	2026-06-01 10:12:59.195480
`pkg:github/openidentityplatform/openam`	purl2cpe	2026-06-01 10:12:59.195483
`pkg:github/openrock/openam`	purl2cpe	2026-06-01 10:12:59.195486
`pkg:maven/org.openidentityplatform.openam/openam`	purl2cpe	2026-06-01 10:12:59.195489

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2021-35464`	vulnerable	2026-06-03 14:44:56.384550	Details available ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier Published: 2021-07-22T17:10:18.000Z Updated: 2025-10-21T23:25:39.887Z Open on db.gcve.eu Reference links https://bugster.forgerock.org http://packetstormsecurity.com/files/163486/ForgeRock-OpenAM-Jato-Java-Deserialization.html http://packetstormsecurity.com/files/163525/ForgeRock-Access-Manager-OpenAM-14.6.3-Remote-Code-Execution.html https://backstage.forgerock.com/knowledge/kb/article/a47894244	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2021-29156`	vulnerable	2026-06-03 14:44:19.697215	Details available ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol. For example, an unauthenticated attacker can perform character-by-character retrieval of password hashes, or retrieve a session token or a private key. Published: 2021-03-25T08:20:13.000Z Updated: 2024-08-03T22:02:51.399Z Open on db.gcve.eu Reference links https://portswigger.net/research/hidden-oauth-attack-vectors https://bugster.forgerock.org/jira/browse/OPENAM-10135	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-14395`	vulnerable	2026-06-03 14:36:39.143396	Details available Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS. Published: 2019-06-19T21:22:29.000Z Updated: 2024-08-05T19:27:40.077Z Open on db.gcve.eu Reference links https://backstage.forgerock.com/knowledge/kb/article/a45958025	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-14394`	vulnerable	2026-06-03 14:36:39.142962	Details available OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect. Published: 2019-06-19T21:22:20.000Z Updated: 2024-08-05T19:27:40.465Z Open on db.gcve.eu Reference links https://backstage.forgerock.com/knowledge/kb/article/a45958025	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.