CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2025-2240 – Smallrye-fault-tolerance: smallrye fault tolerance
https://notcve.org/view.php?id=CVE-2025-2240
12 Mar 2025 — A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue. An update is now available for Red Hat build of Quarkus. • https://access.redhat.com/security/cve/CVE-2025-2240 • CWE-1325: Improperly Controlled Sequential Memory Allocation •
CVSS: 5.5EPSS: 0%CPEs: 46EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 18EXPL: 0CVE-2024-12397 – Io.quarkus.http/quarkus-http-core: quarkus http cookie smuggling
https://notcve.org/view.php?id=CVE-2024-12397
12 Dec 2024 — A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity. Se encontró una falla en Quarkus-HTTP que analiza incorrectamente las cookies con ciertos caracteres que deli... • https://access.redhat.com/security/cve/CVE-2024-12397 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 5.3EPSS: 0%CPEs: 26EXPL: 0CVE-2024-3653 – Undertow: learningpushhandler can lead to remote memory dos attacks
https://notcve.org/view.php?id=CVE-2024-3653
08 Jul 2024 — A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request. • https://access.redhat.com/errata/RHSA-2024:4392 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 9.3EPSS: 1%CPEs: 22EXPL: 0CVE-2023-4639 – Undertow: cookie smuggling/spoofing
https://notcve.org/view.php?id=CVE-2023-4639
14 Jun 2024 — A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity. Migration Toolkit for Runtimes 1.2.6 release Red Hat Product Security has rated this update as having a security ... • https://access.redhat.com/errata/RHSA-2024:1674 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 6.4EPSS: 0%CPEs: 23EXPL: 0CVE-2023-6717 – Keycloak: xss via assertion consumer service url in saml post-binding flow
https://notcve.org/view.php?id=CVE-2023-6717
25 Apr 2024 — A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising... • https://access.redhat.com/errata/RHSA-2024:1867 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 22EXPL: 0CVE-2024-1249 – Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos
https://notcve.org/view.php?id=CVE-2024-1249
17 Apr 2024 — A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. Se encontró una falla en el componente OIDC de Keycloak en "checkLoginIframe", que permite mensajes de origen cruzado no validados. Esta falla permite a los atacantes coordinar y ... • https://access.redhat.com/errata/RHSA-2024:1860 • CWE-346: Origin Validation Error •
CVSS: 9.4EPSS: 0%CPEs: 21EXPL: 0CVE-2024-1132 – Keycloak: path transversal in redirection validation
https://notcve.org/view.php?id=CVE-2024-1132
17 Apr 2024 — A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL. Se encontró una falla en Keycloak, donde no valida correctamente las URL incluidas en una ... • https://access.redhat.com/errata/RHSA-2024:1860 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 31EXPL: 0CVE-2024-1300 – Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
https://notcve.org/view.php?id=CVE-2024-1300
02 Apr 2024 — A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error. Una vulnerabilidad en Eclipse Vert.x toolkit provoca una pérdida de m... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.8EPSS: 0%CPEs: 31EXPL: 0CVE-2024-1023 – Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx
https://notcve.org/view.php?id=CVE-2024-1023
27 Mar 2024 — A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory le... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-401: Missing Release of Memory after Effective Lifetime •