CVE-2021-35464: ForgeRock AM remote code execution vulnerability

On June 30, 2021, PortSwigger released a vulnerability analysis report on ForgeRock AM remote code execution vulnerabilities, the vulnerability number is CVE-2021-35464. An unauthenticated attacker can execute arbitrary code remotely by constructing a special request and take over the server running ForgeRock AM. Due to ForgeRock AM’s own permission management function, the attacker can directly access other sensitive services to carry out further attacks while controlling the ForgeRock AM server.

This vulnerability does not require identity authentication, does not require any user interaction, and the complex attack is low. At the same time, because it is a key identity authentication service, once it is attacked, it will lead to very serious consequences and extreme risk.