CVE-2019-14888 – undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS
https://notcve.org/view.php?id=CVE-2019-14888
A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. Se detectó una vulnerabilidad en el servidor HTTP Undertow en versiones anteriores a 2.0.28.SP1, al escuchar sobre HTTPS. Un atacante puede apuntar al puerto HTTPS para llevar a cabo una Denegación de Servicio (DOS) para hacer que el servicio no esté disponible en SSL. A vulnerability was found in the Undertow HTTP server listening on HTTPS. • https://access.redhat.com/errata/RHSA-2020:0729 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888 https://security.netapp.com/advisory/ntap-20220211-0001 https://access.redhat.com/security/cve/CVE-2019-14888 https://bugzilla.redhat.com/show_bug.cgi?id=1772464 • CWE-400: Uncontrolled Resource Consumption •
CVE-2019-14885 – EAP: Vault system property security attribute value is revealed on CLI 'reload' command
https://notcve.org/view.php?id=CVE-2019-14885
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information. Se detectó un fallo en el sistema JBoss EAP Vault en todas las versiones anteriores a 7.2.6.GA. La información confidencial del valor del atributo de seguridad de la propiedad del sistema es revelada en el archivo de registro de JBoss EAP cuando se ejecuta un comando "reload" de la CLI de JBoss. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14885 https://access.redhat.com/security/cve/CVE-2019-14885 https://bugzilla.redhat.com/show_bug.cgi?id=1770615 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2019-14837 – keycloak: keycloak uses hardcoded open dummy domain for new accounts enabling information disclosure
https://notcve.org/view.php?id=CVE-2019-14837
A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. Se encontró un fallo en keycloack versiones anteriores a la versión 8.0.0. El propietario del dominio "placeholder.org" puede configurar el servidor de correo sobre este dominio y conociendo solo el nombre de un cliente puede restablecer la contraseña y luego iniciar sesión. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837 https://github.com/keycloak/keycloak/commit/9a7c1a91a59ab85e7f8889a505be04a71580777f https://issues.jboss.org/browse/KEYCLOAK-10780 https://access.redhat.com/security/cve/CVE-2019-14837 https://bugzilla.redhat.com/show_bug.cgi?id=1730227 • CWE-547: Use of Hard-coded, Security-relevant Constants CWE-798: Use of Hard-coded Credentials •
CVE-2019-14820 – keycloak: adapter endpoints are exposed via arbitrary URLs
https://notcve.org/view.php?id=CVE-2019-14820
It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. Se descubrió que keycloak versiones anteriores la versión 8.0.0, expone los endpoints del adaptador interno en org.keycloak.constants.AdapterConstants, que pueden ser invocadas por medio de una URL especialmente diseñada. Esta vulnerabilidad podría permitir a un atacante acceder a información no autorizada. It was found that keycloak exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820 https://access.redhat.com/security/cve/CVE-2019-14820 https://bugzilla.redhat.com/show_bug.cgi?id=1649870 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-14843 – wildfly-security-manager: security manager authorization bypass
https://notcve.org/view.php?id=CVE-2019-14843
A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue. Se encontró un fallo en Wildfly Security Manager, ejecutado bajo JDK versión 11 o 8, que autorizó peticiones de cualquier solicitante. Este fallo podría ser utilizado por una aplicación maliciosa implementada en el servidor de aplicaciones para acceder a información no autorizada y posiblemente dirigir nuevos ataques. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14843 https://access.redhat.com/security/cve/CVE-2019-14843 https://bugzilla.redhat.com/show_bug.cgi?id=1752980 • CWE-592: DEPRECATED: Authentication Bypass Issues CWE-863: Incorrect Authorization •