Content Center

AM Security Advisory #202205

Last updated Apr 18, 2023

AM 7.2.0, 7.1, 7, ...

A security misconfiguration has been reported that exposes a blank or empty REST API Explorer to unauthenticated users, even when the REST API Explorer has been disabled. You should secure your deployments at the earliest opportunity as outlined in this security advisory.

Identity Cloud customers

This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant mitigations from this advisory have already been applied to ForgeRock Identity Cloud.

July 27, 2022

A security vulnerability has been reported in supported versions of AM. This vulnerability affects all current versions of AM, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is Medium.

Note

The advice is to upgrade to the latest version to fix these issues. Alternatively, if that’s not possible at this time, you can apply the mitigation listed.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

For mitigation instructions, please raise a ticket via Backstage.

Issue #202205-01 Broken Access Control

Affected versions AM (all supported versions and perhaps older unsupported versions)
Fixed versions AM 7.2.1, AM 7.3
Component Core Server
Severity Medium

Description:

A security misconfiguration has been reported that exposes a blank or empty REST API Explorer to unauthenticated users, even when the REST API Explorer is disabled.

Workaround:

Access to the REST API Explorer should be prevented in a production environment.

Resolution:

Implement one of the mitigations provided by ForgeRock Support. Please raise a ticket via Backstage to contact ForgeRock Support.

Change Log

The following table tracks changes to the security advisory:

Date  Description
April 18, 2023 Updated tags to improve search
April 5, 2023 Added fixed versions (AM 7.2.1, AM 7.3)
August 8, 2022 Minor change to the description to clarify that this is an issue regardless of whether the API Explorer is enabled or disabled.
July 22, 2022 Initial release
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.
In this article

Visit our Community

Have questions? Find answers from our worldwide Community of experts!