org.openidentityplatform.openam:openam-oauth2@14.8.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.openidentityplatform.openam:openam-oauth2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Template Injection

Affected versions of this package are vulnerable to Template Injection in the getCustomLoginUrlTemplate() function. An attacker can inject templates containing executable elements into a custom URL on a malicious oauth2 proxy, and convince a user to visit it. To exploit this vulnerability the attacker must be in possession of a valid iPlanetDirectoryPro cookie value, and brute force the max_age parameter in a request.

How to fix Template Injection?

Upgrade org.openidentityplatform.openam:openam-oauth2 to version 15.0.4 or higher.

[,15.0.4)