Security Advisory
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM Security Advisory #202205

Last updated Aug 8, 2022

A security misconfiguration has been reported that exposes a blank or empty REST API Explorer to unauthenticated users, even when the REST API Explorer has been disabled.


1 reader recommends this article
Identity Cloud customers

This security advisory only applies to software deployments of the ForgeRock Identity Platform. All relevant mitigations from this advisory have already been applied to ForgeRock Identity Cloud.

July 27, 2022

A security vulnerability has been reported in supported versions of AM. This vulnerability affects versions 7.x and 6.x, and could be present in older unsupported versions.

The maximum severity of issues in this advisory is Medium.

Note

The advice is to mitigate this issue by blocking access to the /api, changing the permissions or renaming certain files. Currently, a patch does not exist. However, ForgeRock is working on producing a permanent fix.

Details about this vulnerability are deliberately kept to a minimum to protect your deployments and prevent someone trying to exploit them in the field. Please do not ask for steps to reproduce for the same reasons.

For mitigation instructions, please raise a ticket via Backstage.

Issue #202205-01 Broken Access Control

Affected versions AM (all supported versions and perhaps older unsupported versions)
Fixed versions None – mitigation must be applied
Component Core Server
Severity Medium

Description:

A security misconfiguration has been reported that exposes a blank or empty REST API Explorer to unauthenticated users, even when the REST API Explorer is disabled.

Workaround:

Access to the REST API Explorer should be prevented in a production environment.

Resolution:

Implement one of the mitigations provided by ForgeRock Support. Please raise a ticket via Backstage to contact ForgeRock Support.

Change Log

The following table tracks changes to the security advisory:

Date  Description
August 8, 2022 Minor change to the description to clarify that this is an issue regardless of whether the API Explorer is enabled or disabled.
July 22, 2022 Initial release

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.