Vulnerability Description
The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file.
CVSS Score
6.5
MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Forgerock | Access Management | < 5.5.0 |
Related Weaknesses (CWE)
References
- https://backstage.forgerock.com/knowledge/kb/book/b21824339Vendor Advisory
- https://hansesecure.de/vulnerability-in-am/Third Party Advisory
- https://backstage.forgerock.com/knowledge/kb/book/b21824339Vendor Advisory
- https://hansesecure.de/vulnerability-in-am/Third Party Advisory
FAQ
What is CVE-2018-7272?
CVE-2018-7272 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file.
How severe is CVE-2018-7272?
CVE-2018-7272 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-7272?
Check the references section above for vendor advisories and patch information. Affected products include: Forgerock Access Management.