CVE-2021-35464 — ForgeRock Access Management (AM) Core Server Remote Code Execution Vulnerability
2021-11-03 • CISA Known Exploited Vulnerability
[event] ForgeRock Access Management (AM) Core Server allows an attacker who sends a specially crafted HTTP request to one of three endpoints (/ccversion/Version, /ccversion/Masthead, or /ccversion/ButtonFrame) to execute code in the context of the current user (unless ForgeRock AM is running as root user, which the vendor does not recommend).
> AFFECTED SOFTWARE
| Field | Value |
|---|---|
| Vendor | ForgeRock |
| Product | Access Management (AM) |
| CWE | CWE-502 |
| CVE ID | CVE-2021-35464 |
| Date Added | 2021-11-03 |
| Due Date | 2021-11-17 |
| Ransomware Campaign | Known — this vulnerability has been leveraged in ransomware campaigns |
> MITIGATION
Apply updates per vendor instructions.
Due Date: 2021-11-17