Home > Vulnerability Database > CVE-2023-37471

Mend.io Vulnerability Database

CVE-2023-37471

Good to know:

Date: July 20, 2023

Open Access Management (OpenAM) is an access management solution that includes Authentication, SSO, Authorization, Federation, Entitlements and Web Services Security. OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet. This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later. User unable to upgrade should comment servlet `SAMLPOSTProfileServlet` from their pom file. See the linked GHSA for details.

Language: Java

Severity Score

8.6

Related Resources (5)

Url: https://github.com/OpenIdentityPlatform/OpenAM/pull/624

Url: https://github.com/OpenIdentityPlatform/OpenAM/security/advisories/GHSA-4mh8-9wq6-rjxg

Url: https://github.com/OpenIdentityPlatform/OpenAM/commit/7c18543d126e8a567b83bb4535631825aaa9d742

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-37471

Url: https://www.mend.io/vulnerability-database/CVE-2023-37471

Severity Score

8.6

Weakness Type (CWE)

Authentication Issues

CWE-287

CVSS v3.1

Base Score:	8.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-37471

Good to know:

Date: July 20, 2023

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?