Résumé
OpenAM Authenticated Server-Side Request Forgery (SSRF) via `/sessionservice`
Détails de l’avis
OpenAM (Open Identity Platform) is an open-source Identity and Access Management (IAM) platform derived from ForgeRock OpenAM, providing SSO, OAuth2, SAML, and OpenID Connect capabilities. It is widely deployed in enterprise environments as a central authentication gateway.
The /sessionservice endpoint, used for internal session management operations, does not sufficiently restrict the URLs that authenticated users may register for session event notifications. Under certain conditions, this may result in outbound server-side requests to attacker-controlled destinations, potentially exposing session-related data.
This behavior results in a server-side request forgery (SSRF) vulnerability, where an authenticated attacker can trigger outbound requests to arbitrary destinations.
Credit
Discovered by JD-Security SHENYI Team
Références
Vulnérabilités liées
Tout Supply chain →- HIGHCVE-2026-54353
@budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation
- HIGHCVE-2026-48153
Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata
- MEDIUMCVE-2026-47267
Gogs has SSRF in webhook deliveries
- MEDIUMCVE-2026-44583
Paymenter has Blind Unauthenticated SSRF on the Paypal gateway module
- HIGHCVE-2026-21887
OpenCTI has Semi-Blind SSRF via Unvalidated External URL in Data Ingestion Feature
- MEDIUMGHSA-h5rg-8p7f-47g2
SurrealDB: SSRF via JWKS URL — Redirect Following in JWT Key Fetch