[Japanese]

JVNDB-2019-000007

OpenAM (Open Source Edition) vulnerable to open redirect

Overview

OpenAM (Open Source Edition) contains an open redirect vulnerability.

Norihito Aimoto of Open Source Solution Technology Corporation reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developers.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.4 (Low) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


OpenAM Consortium
  • OpenAM (Open Source Edition) 13.0

According to Open Source Solution Technology Corporation, OpenAM (Open Source Edition) 9 and 11 are not affected by this vulnerability.
Impact

When accessing a specially crafted page, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
Solution

[Apply the Patch]
Patch for this vulnerability has been released by OpenAM Consortium.
Apply the patch according to the information provided by OpenAM Consortium.
Vendor Information

OpenAM Consortium Open Source Solution Technology Corporation
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2019-5915
References

  1. JVN : JVN#43193964
  2. National Vulnerability Database (NVD) : CVE-2019-5915
Revision History

  • [2019/02/06]
      Web page was published
  • [2019/08/28]
      References : Content was added

Date Public2019/02/06
Date First Published2019/02/06
Date Last Updated2019/08/28