Primary

Context

OpenAM Claims Injection Vulnerability in id_token and user_info

Vulnerability

Patched

A vulnerability exists in Open Access Management (OpenAM) versions prior to 16.0.0, allowing for injection of arbitrary values into claims within the id_token or user_info. This issue arises when the 'claims_parameter_supported' parameter is enabled, and can be exploited using the 'oidc-claims-extension.groovy' script. Attackers can inject a claims parameter containing a JSON file into the authorization request, customizing the claims returned in the id_token and user_info. This could lead to various vulnerabilities, such as impersonating users by manipulating email claims, depending on how client applications utilize these claims.

Impact

Exploitation of this vulnerability could lead to unauthorized identity assumption by injecting false claims into the id_token or user_info, potentially allowing attackers to impersonate users or manipulate access based on the injected information.

Remediation

Users can upgrade to OpenAM version 16.0.0 or later to address this vulnerability.

Added: Nov 12, 2025, 7:17 PM

Updated: Nov 12, 2025, 7:17 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

1.3

exploitability

7.4

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

1.3

exploitability

7.4

remediation

7.7

relevance

1.0

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenAM Claims Injection Vulnerability in id_token and user_info

Vulnerability

Impact

Remediation

Affected Products

OpenIdentityPlatform OpenAM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating