Page 13 of 458 results (0.008 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-43844 – IBM Robotic Process Automation for Cloud Pak session fixation

https://notcve.org/view.php?id=CVE-2022-43844

IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081. • https://exchange.xforce.ibmcloud.com/vulnerabilities/239081 https://www.ibm.com/support/pages/node/6852663 • CWE-613: Insufficient Session Expiration •

CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0

CVE-2021-4294 – OpenShift OSIN CheckClientSecret timing discrepancy

https://notcve.org/view.php?id=CVE-2021-4294

A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch is 8612686d6dda34ae9ef6b5a974e4b7accb4fea29. • https://github.com/openshift/osin/commit/8612686d6dda34ae9ef6b5a974e4b7accb4fea29 https://github.com/openshift/osin/pull/200 https://vuldb.com/?ctiid.216987 https://vuldb.com/?id.216987 https://access.redhat.com/security/cve/CVE-2021-4294 https://bugzilla.redhat.com/show_bug.cgi?id=2156871 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •

CVSS: 6.8EPSS: 0%CPEs: 15EXPL: 0

CVE-2022-3916 – Keycloak: session takeover with oidc offline refreshtokens

https://notcve.org/view.php?id=CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. Se encontró una falla en el alcance offline_access en Keycloak. Este problema afectaría más a los usuarios de ordenadores compartidos (especialmente si las cookies no se borran), debido a la falta de validación de la sesión root y a la reutilización de los identificadores de sesión en las sesiones de autenticación de usuario y root. • https://access.redhat.com/errata/RHSA-2022:8961 https://access.redhat.com/errata/RHSA-2022:8962 https://access.redhat.com/errata/RHSA-2022:8963 https://access.redhat.com/errata/RHSA-2022:8964 https://access.redhat.com/errata/RHSA-2022:8965 https://access.redhat.com/errata/RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1047 https://access.redhat.com/errata/RHSA • CWE-384: Session Fixation CWE-613: Insufficient Session Expiration •

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-3259 – OpenShift: Missing HTTP Strict Transport Security

https://notcve.org/view.php?id=CVE-2022-3259

Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks. Openshift 4.9 no utiliza HTTP Strict Transport Security (HSTS), que puede permitir ataques de intermediario (MITM). • https://bugzilla.redhat.com/show_bug.cgi?id=2103220 https://access.redhat.com/security/cve/CVE-2022-3259 • CWE-665: Improper Initialization •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

CVE-2022-3260

https://notcve.org/view.php?id=CVE-2022-3260

The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack.. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. El encabezado de respuesta no ha habilitado X-FRAME-OPTIONS, lo que ayuda a prevenir ataques de Clickjacking. Algunos navegadores interpretarían estos resultados incorrectamente, permitiendo ataques de clickjacking. • https://bugzilla.redhat.com/show_bug.cgi?id=2106780 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •