Content Center

AM Security Advisory #202403

Last updated Mar 21, 2025

A security vulnerability has been discovered in supported versions of PingAM (formerly known as ForgeRock Access Management). This vulnerability affects all supported versions, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.

PingOne Advanced Identity Cloud customers

This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to the PingOne Advanced Identity Cloud.

October 29, 2024

A security vulnerability has been discovered in supported versions of PingAM.  This vulnerability affects  versions from PingAM 7.0.0 up to and including PingAM 7.5.0 as well as older unsupported versions.

The highest severity of issues in this advisory is Medium.

Note

The advice is to upgrade to the latest version to fix these issues. Alternatively, if that’s not possible at this time, you can apply a workaround (if one is provided) or apply one of the patches to mitigate these issues.

Details about these vulnerabilities are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

You can download patches from Backstage for the following versions:

See How do I install a PingAM (AM) patch supplied by Ping support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.

Issue #202403-01 (CVE-2024-25566)

Affected versions PingAM 7.0.0 up to and including PingAM 7.5.0  (and older unsupported versions)
Fixed versions PingAM 7.5.1
Component Core Server
Severity Medium

Description:

An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks

Workaround:

Block or filter access to the affected endpoints if not in use:

  • OAuthPwd.jsp, OAuthActivate.jsp (deprecated OAuth module endpoints) 
  • wsfederation/jsp/  WSFederation  endpoints  
  • oauth2/authorize endpoint. The oauth2/authorize endpoint may be accessible even if OAuth2 is not configured.The oauth2/authorize endpoint is used in certain OAuth2/OIDC flows and by Java or Web Agents 5 and above

Resolution:

Deploy the relevant patch bundle.

See Also:

Change Log

The following table tracks changes to the security advisory:

Date Description
Dec 13, 2024 Added PingAM 7.5.1 as a fixed version 
Jan 7, 2025 Added PingAM 7.3.2 as a fixed version
Copyright and Trademarks Copyright © 2025 ForgeRock, all rights reserved.
In this article

Visit our Community

Have questions? Find answers from our worldwide Community of experts!