[Japanese]

JVNDB-2022-002367

OpenAM (OpenAM Consortium Edition) vulnerable to open redirect

Overview

OpenAM (OpenAM Consortium Edition) provided by OpenAM Consortium contains an open redirect vulnerability (CWE-601).

OpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.7 (Medium) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
Affected Products


OpenAM Consortium
  • OpenAM (OpenAM Consortium Edition) 14.0.0

Impact

When accessing an affected server through some specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.
Solution

[Apply the Patch]
Apply the patch according to the information provided by the developer.
Vendor Information

OpenAM Consortium
CWE (What is CWE?)

  1. URL Redirection to Untrusted Site ('Open Redirect')(CWE-601) [Other]
CVE (What is CVE?)

  1. CVE-2022-31735
References

  1. JVN : JVNVU#99326969
Revision History

  • [2022/09/16]
      Web page was published