Published:2017/11/01 Last Updated:2017/11/01
JVN#79546124
OpenAM (Open Source Edition) vulnerable to authentication bypass
Overview
OpenAM (Open Source Edition) contains an authentication bypass vulnerability.
Products Affected
- OpenAM (Open Source Edition)
Description
OpenAM (Open Source Edition) contains an authentication bypass vulnerability.
Impact
A user may bypass login authentication and access contents for which permissions are not granted.
Solution
Apply the Patch
Patch for this vulnerabiity has been released by Open Source Solution Technology Corporation.
Apply the patch according to the information provided by Open Source Solution Technology Corporation.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| FUJITSU LIMITED | Not Vulnerable | 2017/11/01 | |
| OGIS-RI Co.,Ltd. | Vulnerable | 2017/11/01 | |
| Open Source Solution Technology Corporation | Vulnerable | 2017/11/01 | Open Source Solution Technology Corporation website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Base Score:
6.3
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:N/AC:M/Au:S/C:P/I:P/A:P
Base Score:
6.0
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2017-10873 |
| JVN iPedia |
JVNDB-2017-000231 |
Update History
- 2017/11/01
- OGIS-RI Co.,Ltd. update status
- 2017/11/01
- Information under the section [Products Affected] was modified