Description
Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions.
References (1)
Core 1
Core References
Patch, Vendor Advisory
https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0
Scores
CVSS v3
9.6
EPSS
0.0195
EPSS Percentile
77.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-284
CWE-287
Status
published
Products (20)
forgerock/access_management
5.5.2
forgerock/access_management
6.0.0
forgerock/access_management
6.0.0.1
forgerock/access_management
6.0.0.2
forgerock/access_management
6.0.0.3
forgerock/access_management
6.0.0.4
forgerock/access_management
6.0.0.6
forgerock/access_management
6.0.0.7
forgerock/access_management
6.5.0
forgerock/access_management
6.5.0.1
... and 10 more
Published
Feb 14, 2022
Tracked Since
Feb 18, 2026