CVE-2017-14394

Name of the Vulnerable Software and Affected Versions ForgeRock Access Management (OpenAM) versions 13.5.0 through 13.5.1 Access Management (AM) versions 5.0.0 through 5.1.1

Description The OAuth 2.0 Authorization Server does not correctly validate the redirect uri for some invalid requests, allowing attackers to perform phishing via an unvalidated redirect.

Recommendations For ForgeRock Access Management (OpenAM) versions 13.5.0 through 13.5.1, update the software to a version that correctly validates the redirect uri. For Access Management (AM) versions 5.0.0 through 5.1.1, update the software to a version that correctly validates the redirect uri. As a temporary workaround, consider restricting the use of the OAuth 2.0 Authorization Server until a patch is available.