OpenAM (Open Source Edition) vulnerable to open redirect


OpenAM (Open Source Edition) contains an open redirect vulnerability.

Norihito Aimoto of Open Source Solution Technology Corporation reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developers.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 3.4 (Low) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

OpenAM Consortium
  • OpenAM (Open Source Edition) 13.0

According to Open Source Solution Technology Corporation, OpenAM (Open Source Edition) 9 and 11 are not affected by this vulnerability.

When accessing a specially crafted page, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.

[Apply the Patch]
Patch for this vulnerability has been released by OpenAM Consortium.
Apply the patch according to the information provided by OpenAM Consortium.
Vendor Information

OpenAM Consortium Open Source Solution Technology Corporation
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2019-5915

  1. JVN : JVN#43193964
  2. National Vulnerability Database (NVD) : CVE-2019-5915
Revision History

  • [2019/02/06]
      Web page was published
  • [2019/08/28]
      References : Content was added