CVE-2023-37471
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-37471
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37471.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-37471
- Aliases
- Published
- 2023-07-20T17:15:10Z
- Modified
- 2024-05-15T01:17:26.817380Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Open Access Management (OpenAM) is an access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security. OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet. This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later. User unable to upgrade should comment servlet
SAMLPOSTProfileServletfrom their pom file. See the linked GHSA for details. - References
Affected packages
Git / github.com/openidentityplatform/openam
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openidentityplatform/openam
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
11.*
11.0.0
12.*
12.0.0
13.*
13.0.0
13.0.0-RC1
13.0.0-RC10
13.0.0-RC2
13.0.0-RC3
13.0.0-RC4
13.0.0-RC5
13.0.0-RC6
13.0.0-RC7
13.0.0-RC8
13.0.0-RC9
14.*
14.0.0
14.0.0-M1
14.0.0-M2
14.0.1
14.0.2
14.0.3
14.0.4
14.0.5
14.0.6
14.1.1
14.1.10
14.1.11
14.1.12
14.1.13
14.1.16
14.1.17
14.1.2
14.1.3
14.1.4
14.1.5
14.1.6
14.1.7
14.1.8
14.1.9
14.2.1
14.2.2
14.3.1
14.4.1
14.4.2
14.5.1
14.5.2
14.5.3
14.5.4
14.6.1
14.6.2
14.6.3
14.6.4
14.6.5
14.6.6
14.7.0
14.7.1
14.7.2
release/14.*
release/14.0.0-M6
release/14.0.0-M7