CVE-2018-7272: AM 5.0.0, 5.1.0


CVE

CVE-2018-7272

Vulnerable Software

AM 5.0.0, 5.1.0

Vulnerability

Unauthorized Access

Time Line

  • 15.12.2017 Vendor informed
  • X.01.2018  Vendor patched flaw
  • 24.01.2018 Vendor released Security Advisory

Description

The AM from Forgerock is vulnerable to unauthorized access. The TokenIDs are sended via HTTP-GET requests, which are stored at several places like proxy-logs, local browser history and the like. This could be abused by malicious administrators.

Acknowledgement