CVE-2021-4201

Summary

Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions.

Affected Software

VendorProductVersion RangeStatus
ForgeRockAccess Management7.1 < 7.1.1affected
ForgeRockAccess Management6.5 < 6.5.4affected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control

Workarounds

Block access to the following endpoints: /authservice /sessionservice /profileservice /policyservice /namingservice /loggingservice

ADP Enrichment

CVE Program Container

Additional References

References