CVE-2023-0339 and CVE-2023-22320

[pavelhoral]

Relative Path Traversal vulnerability in ForgeRock Access Management Web Policy Agent allows Authentication Bypass. This issue affects Access Management Web Policy Agent: all versions up to 5.10.1

Ref: https://nvd.nist.gov/vuln/detail/CVE-2023-0339

OpenAM Web Policy Agent (OpenAM Consortium Edition) provided by OpenAM Consortium parses URLs improperly, leading to a path traversal vulnerability(CWE-22). Furthermore, a crafted URL may be evaluated incorrectly.

Ref: https://nvd.nist.gov/vuln/detail/CVE-2023-22320

This project (i.e. Web Policy Agent) is in a limbo state at the moment as we have not touched it since the fork was created. This CVE needs to be addressed when we migrate it to Wren Security.

[karelmaxa]

CVE-2023-22320 has been fixed in https://github.com/WrenSecurity/openam-web-agents/pull/4.