CVSS: 7.4EPSS: 0%CPEs: 18EXPL: 0CVE-2024-12397 – Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling
https://notcve.org/view.php?id=CVE-2024-12397
12 Dec 2024 — A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity. Se encontró una falla en Quarkus-HTTP que analiza incorrectamente las cookies con ciertos caracteres que deli... • https://access.redhat.com/security/cve/CVE-2024-12397 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.4EPSS: 0%CPEs: 28EXPL: 0CVE-2023-1932 – Hibernate-validator: rendering of invalid html with safehtml leads to html injection and xss
https://notcve.org/view.php?id=CVE-2023-1932
07 Nov 2024 — A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks. Se encontró una falla en el método 'isValid' de hibernate-validator en la clase org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator, que se puede evitar omitiendo la ... • https://access.redhat.com/security/cve/CVE-2023-1932 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 30EXPL: 0CVE-2024-9355 – Golang-fips: golang fips zeroed buffer
https://notcve.org/view.php?id=CVE-2024-9355
01 Oct 2024 — A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This... • https://access.redhat.com/security/cve/CVE-2024-9355 • CWE-457: Use of Uninitialized Variable •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8285 – Kroxylicious: missing upstream kafka tls hostname verification
https://notcve.org/view.php?id=CVE-2024-8285
30 Aug 2024 — A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perform a Man-in-the-Middle attack or compromise any external systems, such as DNS or network routing configuration. This issue is considered a high complexity attack, with additional high privileges required, as the atta... • https://access.redhat.com/security/cve/CVE-2024-8285 • CWE-297: Improper Validation of Certificate with Host Mismatch •
CVSS: 5.3EPSS: 0%CPEs: 26EXPL: 0CVE-2024-3653 – Undertow: learningpushhandler can lead to remote memory dos attacks
https://notcve.org/view.php?id=CVE-2024-3653
08 Jul 2024 — A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request. • https://access.redhat.com/errata/RHSA-2024:4392 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 22EXPL: 0CVE-2024-1249 – Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos
https://notcve.org/view.php?id=CVE-2024-1249
17 Apr 2024 — A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. Se encontró una falla en el componente OIDC de Keycloak en "checkLoginIframe", que permite mensajes de origen cruzado no validados. Esta falla permite a los atacantes coordinar y ... • https://access.redhat.com/errata/RHSA-2024:1860 • CWE-346: Origin Validation Error •
CVSS: 7.0EPSS: 0%CPEs: 11EXPL: 0CVE-2024-2700 – Quarkus-core: leak of local configuration properties into quarkus applications
https://notcve.org/view.php?id=CVE-2024-2700
04 Apr 2024 — A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are conf... • https://access.redhat.com/errata/RHSA-2024:2106 • CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable •
CVSS: 5.5EPSS: 0%CPEs: 31EXPL: 0CVE-2024-1300 – Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
https://notcve.org/view.php?id=CVE-2024-1300
02 Apr 2024 — A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error. Una vulnerabilidad en Eclipse Vert.x toolkit provoca una pérdida de m... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.8EPSS: 0%CPEs: 31EXPL: 0CVE-2024-1023 – Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx
https://notcve.org/view.php?id=CVE-2024-1023
27 Mar 2024 — A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory le... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 25EXPL: 0CVE-2024-1635 – Undertow: out-of-memory error after several closed connections with wildfly-http-client protocol
https://notcve.org/view.php?id=CVE-2024-1635
19 Feb 2024 — A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting Ser... • https://access.redhat.com/errata/RHSA-2024:1674 • CWE-400: Uncontrolled Resource Consumption •