Show filters
1 Total Results
Displaying 1-1 of 1
Sort by:
Attacker Value
Very High

Pre-auth RCE in ForgeRock Access Manager (CVE-2021-35464)

Disclosure Date: July 22, 2021 (last updated October 07, 2023)
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/* request to the server. The vulnerability exists due to the usage of Sun ONE Application Framework (JATO) found in versions of Java 8 or earlier