ForgeRock Access Management Users – Update Now to Patch Critical Authentication Bypass Flaw

CVECVE-2023-0339
CVSScvssV3_1: 9.1
SourceCVE-2023-0339

The popular identity management platform ForgeRock Access Management is affected by a critical vulnerability that could allow attackers to bypass authentication.

The vulnerability, tracked as CVE-2023-0339, has been given a CVSS severity score of 9.1 out of 10 due to how easily it could be exploited. It is a relative path traversal issue present in the ForgeRock Access Management Web Policy Agent in all versions up to and including 5.10.1.

A relative path traversal flaw occurs when a application fails to correctly sanitize user-supplied input containing path traversal sequences such as “../”. This allows an attacker to access files and directories that are outside of the intended scope.

In this case, an attacker could craft a specially crafted HTTP request containing such traversal sequences to bypass authentication and access restricted resources within ForgeRock Access Management without needing a valid login. This could lead to sensitive data exposure or even full system compromise.

All ForgeRock Access Management users are strongly recommended to upgrade to the latest version immediately to patch this vulnerability. Administrators should also carefully review the authentication and authorization configurations to ensure no other vulnerabilities exist. Applying the latest software updates as soon as possible is the best way to protect against exploitation of known issues.

References