9.8

CVE-2021-4201

Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions.

Data is provided by the National Vulnerability Database (NVD)
ForgerockAccess Management Version5.5.2
ForgerockAccess Management Version6.0.0
ForgerockAccess Management Version6.0.0.1
ForgerockAccess Management Version6.0.0.2
ForgerockAccess Management Version6.0.0.3
ForgerockAccess Management Version6.0.0.4
ForgerockAccess Management Version6.0.0.6
ForgerockAccess Management Version6.0.0.7
ForgerockAccess Management Version6.5.0
ForgerockAccess Management Version6.5.0.1
ForgerockAccess Management Version6.5.0.2
ForgerockAccess Management Version6.5.1
ForgerockAccess Management Version6.5.2.1
ForgerockAccess Management Version6.5.2.2
ForgerockAccess Management Version6.5.2.3
ForgerockAccess Management Version6.5.3
ForgerockAccess Management Version7.0.0
ForgerockAccess Management Version7.0.1
ForgerockAccess Management Version7.0.2
ForgerockAccess Management Version7.1.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.91% 0.738
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
psirt@forgerock.com 9.6 2.8 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.