40: AM session vulnerability - Githubissues

OpenBankingToolkit / openbanking-reference-implementation

ForgeRock OpenBanking Reference Implementation is an example of how you can bundle all the micro-services together to create an Open Banking eco-system

Apache License 2.0

7 stars 4 forks source link

40: AM session vulnerability #470

Closed jsanhc closed 3 years ago

jsanhc commented 3 years ago

changes

Added new OpenAM war version that fix the below security issue:
- Removed vulnerable endpoints
- Reference: https://wikis.forgerock.org/confluence/pages/viewpage.action?spaceKey=SA&title=15+Sept+2021+-+AM+Session+Vulnerability Issue: https://github.com/OpenBankingToolkit/openbanking-toolkit/issues/40

Description

In all versions of AM there is a session hijacking vulnerability that allows anyone to take control of an active session in AM. This means any AM admin console or user session can be spoofed.

Impacted Areas in Application

List general components of the application that this PR will affect:

AM (local environment)