Home > Vulnerability Database > CVE-2023-37471

Mend.io Vulnerability Database

CVE-2023-37471

Good to know:

Date: July 20, 2023

Open Access Management (OpenAM) is an access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security. OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet. This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later. User unable to upgrade should comment servlet "SAMLPOSTProfileServlet" from their pom file. See the linked GHSA for details.

Language: Java

Severity Score

9.1

Related Resources (6)

Url: https://github.com/OpenIdentityPlatform/OpenAM/pull/624

Url: https://github.com/OpenIdentityPlatform/OpenAM/commit/7c18543d126e8a567b83bb4535631825aaa9d742

Url: https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4mh8-9wq6-rjxg

Url: https://github.com/OpenIdentityPlatform/OpenAM

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-37471

Url: https://www.mend.io/vulnerability-database/CVE-2023-37471

Severity Score

9.1

Weakness Type (CWE)

Improper Authentication

CWE-287

Top Fix

Upgrade Version

Upgrade to version org.openidentityplatform.openam:openam-federation-library:14.7.3

Learn More

CVSS v3.1

Base Score:	9.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-37471

Good to know:

Date: July 20, 2023

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?