Vendor scorecard
ForgeRock
ForgeRock security disclosure record — CVE volume, CVSS severity mix and product-category breakdown, sourced from the NIST NVD.
CPE: forgerock
Product families
1
Open in latest
7
Inferred — see methodology
Last disclosure
Oct 29, 2024
01
Product categories
1 trackedCVE volume, severity mix and the inferred latest shipping version per category.
| Category | CVEs | Volume | Severity mix | Open | Inferred latest |
|---|---|---|---|---|---|
| Access Management / OpenAMIdentity & Access Managementaccess_management, openam, identity_gateway | 10 | 7 | 14.6.3MED |
02
Recent CVEs
9 shownMost recently published, newest first. Each ID links to its NVD record.
| CVE | Severity | CVSS | Summary | Published |
|---|---|---|---|---|
| CVE-2024-25566(opens NVD record) | Medium | 6.1 | An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks | Oct 29, 2024 |
| CVE-2023-0582(opens NVD record) | High | 8.1 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ForgeRock Access Management allows Authorization Bypass. This issue affects access management: before 7.3.0, before 7.2.1, before 7.1.4, through 7.0.2. | Mar 27, 2024 |
| CVE-2022-3748(opens NVD record) | Critical | 9.8 | Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass. This issue affects Access Management: from 6.5.0 through 7.2.0. | Apr 14, 2023 |
| CVE-2022-24670(opens NVD record) | High | 7.1 | An attacker can use the unrestricted LDAP queries to determine configuration entries | Oct 27, 2022 |
| CVE-2022-24669(opens NVD record) | Medium | 6.5 | It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services. | Oct 27, 2022 |
| CVE-2021-4201(opens NVD record) | Critical | 9.6 | Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions. | Feb 14, 2022 |
| CVE-2021-37154(opens NVD record) | Critical | 9.8 | In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion. | Aug 25, 2021 |
| CVE-2021-37153(opens NVD record) | Critical | 9.8 | ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue. | Aug 25, 2021 |
| CVE-2021-35464(opens NVD record) | Critical | 9.8 | ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier | Jul 22, 2021 |
9 CVEs · 1 product families