Published:2022/09/15  Last Updated:2022/09/15

JVNVU#99326969
OpenAM (OpenAM Consortium Edition) vulnerable to open redirect

Overview

OpenAM (OpenAM Consortium Edition) contains an open redirect vulnerability.

Products Affected

  • OpenAM (OpenAM Consortium Edition) 14.0.0

Description

OpenAM (OpenAM Consortium Edition) provided by OpenAM Consortium contains an open redirect vulnerability (CWE-601).

Impact

When accessing an affected server through some specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack.

Solution

Apply the Patch
Apply the patch according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
OSSTech Corporation Vulnerable 2022/09/15 OSSTech Corporation website
Vendor Link
OpenAM consortium issue#259: Open Redirect Vulnerability

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Base Score: 4.7
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

OpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2022-31735
JVN iPedia

Update History

2022/09/15
OSSTech Corporation update status