OpenAM (Open Source Edition) vulnerable to authentication bypass


OpenAM (Open Source Edition) contains an authentication bypass vulnerability.

Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 6.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Open Source Solution Technology Corporation
  • OpenAM (Open Source Edition)

This vulnerability may affect the system where OpenAM (all versions of the open source edition) is configured as an SAML 2.0 IdP and is set to switch authentication methods by types of AuthnContext requests that are sent from the service provider.

A user may bypass login authentication and access contents for which permissions are not granted.

[Apply the Patch]
Patch for this vulnerabiity has been released by Open Source Solution Technology Corporation.
Apply the patch according to the information provided by Open Source Solution Technology Corporation.
Vendor Information

Open Source Solution Technology Corporation OGIS-RI Co.,Ltd.
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-10873

  1. JVN : JVN#79546124
  2. National Vulnerability Database (NVD) : CVE-2017-10873
Revision History

  • [2017/11/01]
      Web page was published
  • [2018/03/14]
      References : Content was added