CVSS: 5.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-10973 – Keycloak: cli option for encrypted jgroups ignored
https://notcve.org/view.php?id=CVE-2024-10973
17 Dec 2024 — A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information. • https://access.redhat.com/security/cve/CVE-2024-10973 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.4EPSS: 0%CPEs: 18EXPL: 0CVE-2024-12397 – Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling
https://notcve.org/view.php?id=CVE-2024-12397
12 Dec 2024 — A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity. Se encontró una falla en Quarkus-HTTP que analiza incorrectamente las cookies con ciertos caracteres que deli... • https://access.redhat.com/security/cve/CVE-2024-12397 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 0CVE-2024-4109 – Undertow: information leakage via http/2 request header reuse
https://notcve.org/view.php?id=CVE-2024-4109
12 Dec 2024 — A flaw was found in Undertow. An HTTP request header value from a previous stream may be incorrectly reused for a request associated with a subsequent stream on the same HTTP/2 connection. This issue can potentially lead to information leakage between requests. Se encontró un fallo en Undertow. Un valor de encabezado de solicitud HTTP de una secuencia anterior puede reutilizarse incorrectamente para una solicitud asociada con una secuencia posterior en la misma conexión HTTP/2. • https://access.redhat.com/security/cve/CVE-2024-4109 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.2EPSS: 0%CPEs: 3EXPL: 0CVE-2024-12369 – Elytron-oidc-client: oidc authorization code injection
https://notcve.org/view.php?id=CVE-2024-12369
09 Dec 2024 — A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack. • https://access.redhat.com/security/cve/CVE-2024-12369 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10451 – Org.keycloak:keycloak-quarkus-server: sensitive data exposure in keycloak build process
https://notcve.org/view.php?id=CVE-2024-10451
25 Nov 2024 — A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable ... • https://access.redhat.com/errata/RHSA-2024:10175 • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-10270 – Org.keycloak:keycloak-services: keycloak denial of service
https://notcve.org/view.php?id=CVE-2024-10270
25 Nov 2024 — A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. • https://access.redhat.com/errata/RHSA-2024:10175 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2024-9666 – Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability
https://notcve.org/view.php?id=CVE-2024-9666
25 Nov 2024 — A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests... • https://access.redhat.com/errata/RHSA-2024:10175 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 7.7EPSS: 0%CPEs: 7EXPL: 0CVE-2024-10234 – Wildfly: wildfly vulnerable to cross-site scripting (xss)
https://notcve.org/view.php?id=CVE-2024-10234
22 Oct 2024 — A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. This flaw allows an attacker or insider to execute a deployment with a malicious payload, which could trigger undesired behavior against the server. • https://access.redhat.com/security/cve/CVE-2024-10234 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 1CVE-2024-3656 – Keycloak: unguarded admin rest api endpoints allows low privilege users to use administrative functionalities
https://notcve.org/view.php?id=CVE-2024-3656
09 Oct 2024 — A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. • https://github.com/h4x0r-dz/CVE-2024-3656 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 0%CPEs: 11EXPL: 0CVE-2024-8883 – Keycloak: vulnerable redirect uri validation results in open redirec
https://notcve.org/view.php?id=CVE-2024-8883
19 Sep 2024 — A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. • https://access.redhat.com/security/cve/CVE-2024-8883 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •