CVE-2021-35464 – ForgeRock AM server 6.x before 7, and OpenAM 14.6.3, has a Java deserialization vulnerabil …

Vuln ID: CVE-2021-35464

Published:  2021-07-22  18:15:23Z

Description: ForgeRock AM server 6.x before 7, and OpenAM 14.6.3, has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages. The exploitation does not require authentication, and remote code execution can be triggered by sending a single crafted /ccversion/Version request to the server. The vulnerability exists due to incorrect usage of Sun ONE Application Framework (JATO).

Source: NVD.NIST.GOV