Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenAM allows use of arbitrary OIDC requested claims values in id_token and user_info
Vulnerability Description
Open Access Management (OpenAM) is an access management solution. In versions prior to 16.0.0, if the "claims_parameter_supported" parameter is activated, it is possible, thanks to the "oidc-claims-extension.groovy" script, to inject the value of one's choice into a claim contained in the id_token or in the user_info. In the request of an authorize function, a claims parameter containing a JSON file can be injected. This JSON file allows attackers to customize the claims returned by the "id_token" and "user_info" files. This allows for a very wide range of vulnerabilities depending on how clients use claims. For example, if some clients rely on an email field to identify a user, an attacker can choose the email address they want, and therefore assume any identity they choose. Version 16.0.0 fixes the issue.
CVSS Information
N/A
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
OpenAM 注入漏洞
Vulnerability Description
OpenAM是OpenAM Consortium组织的一种一体化访问管理解决方案。提供身份验证、授权、授权和联合功能。 Open Access Management OpenAM 16.0.0之前版本存在注入漏洞,该漏洞源于claims_parameter_supported参数允许注入任意声明值,可能导致身份伪造。
CVSS Information
N/A
Vulnerability Type
N/A