Page 13 of 458 results (0.008 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-43844 – IBM Robotic Process Automation for Cloud Pak session fixation

https://notcve.org/view.php?id=CVE-2022-43844

IBM Robotic Process Automation for Cloud Pak 20.12 through 21.0.3 is vulnerable to broken access control. A user is not correctly redirected to the platform log out screen when logging out of IBM RPA for Cloud Pak. IBM X-Force ID: 239081. • https://exchange.xforce.ibmcloud.com/vulnerabilities/239081 https://www.ibm.com/support/pages/node/6852663 • CWE-613: Insufficient Session Expiration •

CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0

CVE-2021-4294 – OpenShift OSIN CheckClientSecret timing discrepancy

https://notcve.org/view.php?id=CVE-2021-4294

A vulnerability was found in OpenShift OSIN. It has been classified as problematic. This affects the function ClientSecretMatches/CheckClientSecret. The manipulation of the argument secret leads to observable timing discrepancy. The name of the patch is 8612686d6dda34ae9ef6b5a974e4b7accb4fea29. • https://github.com/openshift/osin/commit/8612686d6dda34ae9ef6b5a974e4b7accb4fea29 https://github.com/openshift/osin/pull/200 https://vuldb.com/?ctiid.216987 https://vuldb.com/?id.216987 https://access.redhat.com/security/cve/CVE-2021-4294 https://bugzilla.redhat.com/show_bug.cgi?id=2156871 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •

CVSS: 6.8EPSS: 0%CPEs: 15EXPL: 0

CVE-2022-3916 – Keycloak: session takeover with oidc offline refreshtokens

https://notcve.org/view.php?id=CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. Se encontró una falla en el alcance offline_access en Keycloak. Este problema afectaría más a los usuarios de ordenadores compartidos (especialmente si las cookies no se borran), debido a la falta de validación de la sesión root y a la reutilización de los identificadores de sesión en las sesiones de autenticación de usuario y root. • https://access.redhat.com/errata/RHSA-2022:8961 https://access.redhat.com/errata/RHSA-2022:8962 https://access.redhat.com/errata/RHSA-2022:8963 https://access.redhat.com/errata/RHSA-2022:8964 https://access.redhat.com/errata/RHSA-2022:8965 https://access.redhat.com/errata/RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1047 https://access.redhat.com/errata/RHSA • CWE-384: Session Fixation CWE-613: Insufficient Session Expiration •

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-3259 – OpenShift: Missing HTTP Strict Transport Security

https://notcve.org/view.php?id=CVE-2022-3259

Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks. Openshift 4.9 no utiliza HTTP Strict Transport Security (HSTS), que puede permitir ataques de intermediario (MITM). • https://bugzilla.redhat.com/show_bug.cgi?id=2103220 https://access.redhat.com/security/cve/CVE-2022-3259 • CWE-665: Improper Initialization •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-3262

https://notcve.org/view.php?id=CVE-2022-3262

A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability. Se encontró un fallo en Openshift. Un pod con una política DNS de "ClusterFirst" puede resolver incorrectamente el nombre de host según un servicio proporcionado. • https://bugzilla.redhat.com/show_bug.cgi?id=2128858 • CWE-453: Insecure Default Variable Initialization CWE-1188: Initialization of a Resource with an Insecure Default •