Vulnerabilites related to OpenAM consortium - OpenAM
jvndb-2018-000107
Vulnerability from jvndb
Published
2018-10-12 14:44
Modified
2019-09-26 18:10
Severity ?
Summary
OpenAM (Open Source Edition) vulnerable to session management
Details
OpenAM (Open Source Edition) contains a vulnerability in session management.
Yasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenAM Consortium | OpenAM |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000107.html",
"dc:date": "2019-09-26T18:10+09:00",
"dcterms:issued": "2018-10-12T14:44+09:00",
"dcterms:modified": "2019-09-26T18:10+09:00",
"description": "OpenAM (Open Source Edition) contains a vulnerability in session management.\r\n\r\nYasushi Iwakata of Open Source Solution Technology Corporation reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2018/JVNDB-2018-000107.html",
"sec:cpe": {
"#text": "cpe:/a:osstech:openam",
"@product": "OpenAM",
"@vendor": "OpenAM Consortium",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "4.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2018-000107",
"sec:references": [
{
"#text": "http://jvn.jp/en/jp/JVN49995005/index.html",
"@id": "JVN#49995005",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0696",
"@id": "CVE-2018-0696",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2018-0696",
"@id": "CVE-2018-0696",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-264",
"@title": "Permissions(CWE-264)"
}
],
"title": "OpenAM (Open Source Edition) vulnerable to session management"
}
jvndb-2022-002367
Vulnerability from jvndb
Published
2022-09-16 15:30
Modified
2024-06-13 11:39
Severity ?
Summary
OpenAM (OpenAM Consortium Edition) vulnerable to open redirect
Details
OpenAM (OpenAM Consortium Edition) provided by OpenAM Consortium contains an open redirect vulnerability (CWE-601).
OpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | http://jvn.jp/en/vu/JVNVU99326969/index.html | |
| CVE | https://www.cve.org/CVERecord?id=CVE-2022-31735 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2022-31735 | |
| URL Redirection to Untrusted Site ('Open Redirect')(CWE-601) | https://cwe.mitre.org/data/definitions/601.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenAM Consortium | OpenAM |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-002367.html",
"dc:date": "2024-06-13T11:39+09:00",
"dcterms:issued": "2022-09-16T15:30+09:00",
"dcterms:modified": "2024-06-13T11:39+09:00",
"description": "OpenAM (OpenAM Consortium Edition) provided by OpenAM Consortium contains an open redirect vulnerability (CWE-601).\r\n\r\nOpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.\r\nJPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2022/JVNDB-2022-002367.html",
"sec:cpe": {
"#text": "cpe:/a:osstech:openam",
"@product": "OpenAM",
"@vendor": "OpenAM Consortium",
"@version": "2.2"
},
"sec:cvss": {
"@score": "4.7",
"@severity": "Medium",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"@version": "3.0"
},
"sec:identifier": "JVNDB-2022-002367",
"sec:references": [
{
"#text": "http://jvn.jp/en/vu/JVNVU99326969/index.html",
"@id": "JVNVU#99326969",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2022-31735",
"@id": "CVE-2022-31735",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2022-31735",
"@id": "CVE-2022-31735",
"@source": "NVD"
},
{
"#text": "https://cwe.mitre.org/data/definitions/601.html",
"@id": "CWE-601",
"@title": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)(CWE-601)"
}
],
"title": "OpenAM (OpenAM Consortium Edition) vulnerable to open redirect"
}
jvndb-2023-001002
Vulnerability from jvndb
Published
2023-01-11 17:07
Modified
2023-01-11 17:07
Severity ?
Summary
OpenAM Web Policy Agent (OpenAM Consortium Edition) vulnerable to path traversal
Details
OpenAM Web Policy Agent (OpenAM Consortium Edition) provided by OpenAM Consortium parses URLs improperly, leading to a path traversal vulnerability (CWE-22).
Furthermore, a crafted URL may be evaluated incorrectly.
OpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenAM Consortium | OpenAM |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001002.html",
"dc:date": "2023-01-11T17:07+09:00",
"dcterms:issued": "2023-01-11T17:07+09:00",
"dcterms:modified": "2023-01-11T17:07+09:00",
"description": "OpenAM Web Policy Agent (OpenAM Consortium Edition) provided by OpenAM Consortium parses URLs improperly, leading to a path traversal vulnerability (CWE-22).\r\nFurthermore, a crafted URL may be evaluated incorrectly.\r\n\r\nOpenAM Consortium reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.\r\nJPCERT/CC and OpenAM Consortium coordinated under the Information Security Early Warning Partnership.",
"link": "https://jvndb.jvn.jp/en/contents/2023/JVNDB-2023-001002.html",
"sec:cpe": {
"#text": "cpe:/a:osstech:openam",
"@product": "OpenAM",
"@vendor": "OpenAM Consortium",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "5.0",
"@severity": "Medium",
"@type": "Base",
"@vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"@version": "2.0"
},
{
"@score": "7.5",
"@severity": "High",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2023-001002",
"sec:references": [
{
"#text": "https://jvn.jp/en/vu/JVNVU91740661/index.html",
"@id": "JVNVU#91740661",
"@source": "JVN"
},
{
"#text": "https://www.cve.org/CVERecord?id=CVE-2023-22320",
"@id": "CVE-2023-22320",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2023-22320",
"@id": "CVE-2023-22320",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-22",
"@title": "Path Traversal(CWE-22)"
}
],
"title": "OpenAM Web Policy Agent (OpenAM Consortium Edition) vulnerable to path traversal"
}
jvndb-2019-000007
Vulnerability from jvndb
Published
2019-02-06 15:45
Modified
2019-08-28 11:00
Severity ?
Summary
OpenAM (Open Source Edition) vulnerable to open redirect
Details
OpenAM (Open Source Edition) contains an open redirect vulnerability.
Norihito Aimoto of Open Source Solution Technology Corporation reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developers.
References
| ▼ | Type | URL |
|---|---|---|
| JVN | https://jvn.jp/en/jp/JVN43193964/index.html | |
| CVE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5915 | |
| NVD | https://nvd.nist.gov/vuln/detail/CVE-2019-5915 | |
| Improper Input Validation(CWE-20) | https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| OpenAM Consortium | OpenAM |
{
"@rdf:about": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000007.html",
"dc:date": "2019-08-28T11:00+09:00",
"dcterms:issued": "2019-02-06T15:45+09:00",
"dcterms:modified": "2019-08-28T11:00+09:00",
"description": "OpenAM (Open Source Edition) contains an open redirect vulnerability.\r\n\r\nNorihito Aimoto of Open Source Solution Technology Corporation reported this vulnerability to JPCERT/CC.\r\nJPCERT/CC coordinated with the developers.",
"link": "https://jvndb.jvn.jp/en/contents/2019/JVNDB-2019-000007.html",
"sec:cpe": {
"#text": "cpe:/a:osstech:openam",
"@product": "OpenAM",
"@vendor": "OpenAM Consortium",
"@version": "2.2"
},
"sec:cvss": [
{
"@score": "2.6",
"@severity": "Low",
"@type": "Base",
"@vector": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"@version": "2.0"
},
{
"@score": "3.4",
"@severity": "Low",
"@type": "Base",
"@vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N",
"@version": "3.0"
}
],
"sec:identifier": "JVNDB-2019-000007",
"sec:references": [
{
"#text": "https://jvn.jp/en/jp/JVN43193964/index.html",
"@id": "JVN#43193964",
"@source": "JVN"
},
{
"#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5915",
"@id": "CVE-2019-5915",
"@source": "CVE"
},
{
"#text": "https://nvd.nist.gov/vuln/detail/CVE-2019-5915",
"@id": "CVE-2019-5915",
"@source": "NVD"
},
{
"#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html",
"@id": "CWE-20",
"@title": "Improper Input Validation(CWE-20)"
}
],
"title": "OpenAM (Open Source Edition) vulnerable to open redirect"
}
CVE-2025-8662 (GCVE-0-2025-8662)
Vulnerability from cvelistv5
Published
2025-09-02 02:06
Modified
2025-09-03 14:36
Severity ?
VLAI Severity ?
EPSS score ?
Summary
OpenAM (OpenAM Consortium Edition) contains a vulnerability that may cause it to malfunction as a SAML IdP due to a tampered request.This issue affects OpenAM: from 14.0.0 through 14.0.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenAM consortium | OpenAM |
Version: 14.0.0 ≤ 14.0.1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8662",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-02T16:04:51.396362Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T14:36:15.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "OpenAM",
"vendor": "OpenAM consortium",
"versions": [
{
"lessThanOrEqual": "14.0.1",
"status": "affected",
"version": "14.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hiromu Miyazaki (OSSTech Corporation)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpenAM (OpenAM Consortium Edition) contains a vulnerability that may cause it to malfunction as a SAML IdP due to a tampered request.\u003c/span\u003e\u003cp\u003eThis issue affects OpenAM: from 14.0.0 through 14.0.1.\u003c/p\u003e"
}
],
"value": "OpenAM (OpenAM Consortium Edition) contains a vulnerability that may cause it to malfunction as a SAML IdP due to a tampered request.This issue affects OpenAM: from 14.0.0 through 14.0.1."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-02T02:06:20.806Z",
"orgId": "37c6977f-aa3f-41e8-829b-3e8ff4df3c14",
"shortName": "openam-jp"
},
"references": [
{
"url": "https://openam-jp.github.io/Advisories/CVE-2025-8662/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The OpenAM Consortium has released OpenAM 14.0.2, which addresses the vulnerability.\u003cbr\u003ePlease update to the released OpenAM version.\u003cbr\u003e"
}
],
"value": "The OpenAM Consortium has released OpenAM 14.0.2, which addresses the vulnerability.\nPlease update to the released OpenAM version."
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "37c6977f-aa3f-41e8-829b-3e8ff4df3c14",
"assignerShortName": "openam-jp",
"cveId": "CVE-2025-8662",
"datePublished": "2025-09-02T02:06:20.806Z",
"dateReserved": "2025-08-06T07:06:29.261Z",
"dateUpdated": "2025-09-03T14:36:15.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-0696 (GCVE-0-2018-0696)
Vulnerability from cvelistv5
Published
2019-02-13 18:00
Modified
2024-08-05 03:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Fails to manage sessions
Summary
OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://jvn.jp/en/jp/JVN49995005/index.html | third-party-advisory, x_refsource_JVN | |
| https://www.cs.themistruct.com/report/wam20181012 | x_refsource_MISC | |
| https://www.osstech.co.jp/support/am2018-4-1-en | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenAM Consortium | OpenAM |
Version: 13.0 and later |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:35:49.004Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "JVN#49995005",
"tags": [
"third-party-advisory",
"x_refsource_JVN",
"x_transferred"
],
"url": "http://jvn.jp/en/jp/JVN49995005/index.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.cs.themistruct.com/report/wam20181012"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.osstech.co.jp/support/am2018-4-1-en"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenAM",
"vendor": "OpenAM Consortium",
"versions": [
{
"status": "affected",
"version": "13.0 and later"
}
]
}
],
"datePublic": "2019-02-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Fails to manage sessions",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-13T17:57:01",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"name": "JVN#49995005",
"tags": [
"third-party-advisory",
"x_refsource_JVN"
],
"url": "http://jvn.jp/en/jp/JVN49995005/index.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.cs.themistruct.com/report/wam20181012"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.osstech.co.jp/support/am2018-4-1-en"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "vultures@jpcert.or.jp",
"ID": "CVE-2018-0696",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenAM",
"version": {
"version_data": [
{
"version_value": "13.0 and later"
}
]
}
}
]
},
"vendor_name": "OpenAM Consortium"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenAM (Open Source Edition) 13.0 and later does not properly manage sessions, which allows remote authenticated attackers to change the security questions and reset the login password via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Fails to manage sessions"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "JVN#49995005",
"refsource": "JVN",
"url": "http://jvn.jp/en/jp/JVN49995005/index.html"
},
{
"name": "https://www.cs.themistruct.com/report/wam20181012",
"refsource": "MISC",
"url": "https://www.cs.themistruct.com/report/wam20181012"
},
{
"name": "https://www.osstech.co.jp/support/am2018-4-1-en",
"refsource": "MISC",
"url": "https://www.osstech.co.jp/support/am2018-4-1-en"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2018-0696",
"datePublished": "2019-02-13T18:00:00",
"dateReserved": "2017-11-27T00:00:00",
"dateUpdated": "2024-08-05T03:35:49.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}