Content Center

AM Security Advisory #202401

Last updated Mar 27, 2024

A security vulnerability has been discovered in supported versions of Access Management (AM). This vulnerability affects versions 7.2.0, 7.1.3, 7.0.2 and earlier, and could be present in older unsupported versions. You should secure your deployments at the earliest opportunity as outlined in this security advisory.

Identity Cloud customers

This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant patches from this advisory have already been applied to the ForgeRock Identity Cloud.

March 27, 2024

A security vulnerability has been discovered in supported versions of AM. This vulnerability affects versions 7.2.0, 7.1.3, 7.0.2 and earlier, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is High.

Note

The advice is to upgrade to the latest version to fix this issue. Alternatively, if that’s not possible at this time and you are on AM 7.0.x, you can apply the patch to mitigate this issue.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

You can download patches from Backstage for the following version:

See How do I install a PingAM (AM) patch supplied by Ping support? for further information on deploying the patch. If you have existing patches, please raise a ticket to obtain an updated patch.

Issue #202401-01 (CVE-2023-0582)

Affected versions AM 7.2.0, AM 7.1.3, AM 7.0.2 and earlier (and perhaps older unsupported versions)
Fixed versions AM 7.4.0, AM 7.3.0, AM 7.2.1, AM 7.1.4
Component Core Server
Severity High

Description:

A high severity Path Traversal (CWE-22) vulnerability has been discovered in supported versions of AM that could lead to unauthorized access.

Mitigation:

None.

Resolution:

Upgrade to a fixed version or deploy the relevant patch.

See Also

CWE-22 

CVE-2023-0582

Change Log

The following table tracks changes to the security advisory:

Date  Description
March 27, 2024 Initial release
Copyright and TrademarksCopyright © undefined ForgeRock, all rights reserved.
In this article

Visit our Community

Have questions? Find answers from our worldwide Community of experts!