OpenAM has Unsafe Java Deserialization via SNS
Description A Deserialization of Untrusted Data (CWE-502) issue exists in OpenAM's Push Notification SNS callback resource. The REST route that handles SNS push messages is mounted with anonymous access and, when a supplied message identifier has expired from the in-memory dispatcher, falls back to a CTS-stored predicate blob whose top-level keys are treated as Java class names and passed to Class.forName(…) before attacker-controlled JSON is deserialized via Jackson. This impacts …