All the vulnerabilites related to OpenAM Consortium - OpenAM
jvndb-2019-000007
Vulnerability from jvndb
Published
2019-02-06 15:45
Modified
2019-08-28 11:00
Severity ?
Summary
OpenAM (Open Source Edition) vulnerable to open redirect
Details
OpenAM (Open Source Edition) contains an open redirect vulnerability.
Norihito Aimoto of Open Source Solution Technology Corporation reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developers.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN43193964/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5915 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2019-5915 | |
| Improper Input Validation(CWE-20) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenAM Consortium | OpenAM |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000007.html",
"dc:date": "2019-08-28T11:00+09:00",
"dcterms:issued": "2019-02-06T15:45+09:00",
"dcterms:modified": "2019-08-28T11:00+09:00",
"description": "OpenAM (Open Source Edition) contains an open redirect vulnerability.\r\n\r\nNorihito Aimoto of Open Source Solution Technology Corporation reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developers.",
"link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000007.html",
"sec:cpe": {
"#text": "cpe:/a:osstech:openam",
"@product": "OpenAM",
"@vendor": "OpenAM Consortium",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "3.4",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2019-000007",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN43193964/index.html",
"@id": "JVN#43193964",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5915",
"@id": "CVE-2019-5915",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5915",
"@id": "CVE-2019-5915",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "OpenAM (Open Source Edition) vulnerable to open redirect"
}
jvndb-2023-001002
Vulnerability from jvndb
Published
2023-01-11 17:07
Modified
2023-01-11 17:07
Severity ?
Summary
OpenAM Web Policy Agent (OpenAM Consortium Edition) vulnerable to path traversal
Details
OpenAM Web Policy Agent (OpenAM Consortium Edition) provided by OpenAM Consortium parses URLs improperly, leading to a path traversal vulnerability (CWE-22).
Furthermore, a crafted URL may be evaluated incorrectly.
OpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenAM Consortium | OpenAM |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001002.html",
"dc:date": "2023-01-11T17:07+09:00",
"dcterms:issued": "2023-01-11T17:07+09:00",
"dcterms:modified": "2023-01-11T17:07+09:00",
"description": "OpenAM Web Policy Agent (OpenAM Consortium Edition) provided by OpenAM Consortium parses URLs improperly, leading to a path traversal vulnerability (CWE-22).\r\nFurthermore, a crafted URL may be evaluated incorrectly.\r\n\r\nOpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.\r\nJPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001002.html",
"sec:cpe": {
"#text": "cpe:/a:osstech:openam",
"@product": "OpenAM",
"@vendor": "OpenAM Consortium",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-001002",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU91740661/index.html",
"@id": "JVNVU#91740661",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-22320",
"@id": "CVE-2023-22320",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-22320",
"@id": "CVE-2023-22320",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
}
],
"title": "OpenAM Web Policy Agent (OpenAM Consortium Edition) vulnerable to path traversal"
}
jvndb-2018-000107
Vulnerability from jvndb
Published
2018-10-12 14:44
Modified
2019-09-26 18:10
Severity ?
Summary
OpenAM (Open Source Edition) vulnerable to session management
Details
OpenAM (Open Source Edition) contains a vulnerability in session management.
Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenAM Consortium | OpenAM |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000107.html",
"dc:date": "2019-09-26T18:10+09:00",
"dcterms:issued": "2018-10-12T14:44+09:00",
"dcterms:modified": "2019-09-26T18:10+09:00",
"description": "OpenAM (Open Source Edition) contains a vulnerability in session management.\r\n\r\nYasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000107.html",
"sec:cpe": {
"#text": "cpe:/a:osstech:openam",
"@product": "OpenAM",
"@vendor": "OpenAM Consortium",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2018-000107",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN49995005/index.html",
"@id": "JVN#49995005",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0696",
"@id": "CVE-2018-0696",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0696",
"@id": "CVE-2018-0696",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "OpenAM (Open Source Edition) vulnerable to session management"
}
jvndb-2022-002367
Vulnerability from jvndb
Published
2022-09-16 15:30
Modified
2024-06-13 11:39
Severity ?
Summary
OpenAM (OpenAM Consortium Edition) vulnerable to open redirect
Details
OpenAM (OpenAM Consortium Edition) provided by OpenAM Consortium contains an open redirect vulnerability (CWE-601).
OpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/vu/JVNVU99326969/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2022-31735 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2022-31735 | |
| URL Redirection to Untrusted Site ('Open Redirect')(CWE-601) | https://cwe.mitre.org/data/definitions/601.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenAM Consortium | OpenAM |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-002367.html",
"dc:date": "2024-06-13T11:39+09:00",
"dcterms:issued": "2022-09-16T15:30+09:00",
"dcterms:modified": "2024-06-13T11:39+09:00",
"description": "OpenAM (OpenAM Consortium Edition) provided by OpenAM Consortium contains an open redirect vulnerability (CWE-601).\r\n\r\nOpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.\r\nJPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-002367.html",
"sec:cpe": {
"#text": "cpe:/a:osstech:openam",
"@product": "OpenAM",
"@vendor": "OpenAM Consortium",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2022-002367",
"sec:references": [
{
"#text": "http://jvn.jp/en/vu/JVNVU99326969/index.html",
"@id": "JVNVU#99326969",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-31735",
"@id": "CVE-2022-31735",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-31735",
"@id": "CVE-2022-31735",
"@source": "NVD"
},
{
"#text": "https://cwe.mitre.org/data/definitions/601.html",
"@id": "CWE-601",
"@title": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)(CWE-601)"
}
],
"title": "OpenAM (OpenAM Consortium Edition) vulnerable to open redirect"
}
cve-2018-0696
Vulnerability from cvelistv5
Published
2019-02-13 18:00
Modified
2024-08-05 03:35
Severity ?
EPSS score ?
Summary
OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://jvn.jp/en/jp/JVN49995005/index.html | third-party-advisory, x_refsource_JVN | |
| https://www.cs.themistruct.com/report/wam20181012 | x_refsource_MISC | |
| https://www.osstech.co.jp/support/am2018-4-1-en | x_refsource_MISC |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenAM Consortium | OpenAM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:49.004Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#49995005",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN49995005/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cs.themistruct.com/report/wam20181012"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.osstech.co.jp/support/am2018-4-1-en"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenAM",
"vendor": "OpenAM Consortium",
"versions": [
{
"status": "affected",
"version": "13.0 and later"
}
]
}
],
"datePublic": "2019-02-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Fails to manage sessions",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-13T17:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#49995005",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN49995005/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cs.themistruct.com/report/wam20181012"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.osstech.co.jp/support/am2018-4-1-en"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0696",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenAM",
"version": {
"version_data": [
{
"version_value": "13.0 and later"
}
]
}
}
]
},
"vendor_name": "OpenAM Consortium"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Fails to manage sessions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#49995005",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN49995005/index.html"
},
{
"name": "https://www.cs.themistruct.com/report/wam20181012",
"refsource": "MISC",
"url": "https://www.cs.themistruct.com/report/wam20181012"
},
{
"name": "https://www.osstech.co.jp/support/am2018-4-1-en",
"refsource": "MISC",
"url": "https://www.osstech.co.jp/support/am2018-4-1-en"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0696",
"datePublished": "2019-02-13T18:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:49.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}