CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-3632 – keycloak: Anyone can register a new device when there is no device registered for passwordless login
https://notcve.org/view.php?id=CVE-2021-3632
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. Se ha encontrado un fallo en Keycloak. Esta vulnerabilidad permite a cualquiera registrar un nuevo dispositivo de seguridad o llave cuando no se presenta un dispositivo ya registrado para ningún usuario, al usar el flujo de inicio de sesión sin contraseña de WebAuthn. • https://access.redhat.com/security/cve/CVE-2021-3632 https://bugzilla.redhat.com/show_bug.cgi?id=1978196 https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4 https://github.com/keycloak/keycloak/pull/8203 https://issues.redhat.com/browse/KEYCLOAK-18500 • CWE-287: Improper Authentication •
CVSS: 5.9EPSS: 0%CPEs: 22EXPL: 0CVE-2021-3597 – undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
https://notcve.org/view.php?id=CVE-2021-3597
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final. Se ha encontrado un fallo en Undertow. • https://bugzilla.redhat.com/show_bug.cgi?id=1970930 https://security.netapp.com/advisory/ntap-20220804-0003 https://access.redhat.com/security/cve/CVE-2021-3597 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 4.3EPSS: 0%CPEs: 8EXPL: 1CVE-2021-3622 – hivex: stack overflow due to recursive call of _get_children()
https://notcve.org/view.php?id=CVE-2021-3622
A flaw was found in the hivex library. This flaw allows an attacker to input a specially crafted Windows Registry (hive) file, which would cause hivex to recursively call the _get_children() function, leading to a stack overflow. The highest threat from this vulnerability is to system availability. Se ha encontrado un fallo en hivex library. Este fallo permite a un atacante introducir un archivo del Registro de Windows (hive) especialmente diseñado, lo que causaría que hivex llamara recursivamente a la función _get_children(), conllevando a un desbordamiento de pila. • https://bugzilla.redhat.com/show_bug.cgi?id=1975489 https://github.com/libguestfs/hivex/commit/771728218dac2fbf6997a7e53225e75a4c6b7255 https://listman.redhat.com/archives/libguestfs/2021-August/msg00002.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S35TVTAPHORSUIFYNFBHKLQRPVFUPXBE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/USD4OEV6L3RPHE32V2MJ4JPFBODINWSU https://access.redhat.com/security/cve/CVE-2021-3622 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 1CVE-2021-3690 – undertow: buffer leak on incoming websocket PONG message may lead to DoS
https://notcve.org/view.php?id=CVE-2021-3690
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability. Se ha encontrado un fallo en Undertow. • https://access.redhat.com/security/cve/CVE-2021-3690 https://bugzilla.redhat.com/show_bug.cgi?id=1991299 https://github.com/undertow-io/undertow/commit/c7e84a0b7efced38506d7d1dfea5902366973877 https://issues.redhat.com/browse/UNDERTOW-1935 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 9.3EPSS: 0%CPEs: 13EXPL: 0CVE-2021-3621 – sssd: shell command injection in sssctl
https://notcve.org/view.php?id=CVE-2021-3621
A flaw was found in SSSD, where the sssctl command was vulnerable to shell command injection via the logs-fetch and cache-expire subcommands. This flaw allows an attacker to trick the root user into running a specially crafted sssctl command, such as via sudo, to gain root access. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Se encontró un fallo en SSSD, donde el comando sssctl era vulnerable a la inyección de comandos de shell por medio de los subcomandos logs-fetch y cache-expire. Este fallo permite a un atacante engañar al usuario root para que ejecute un comando sssctl especialmente diseñado, por ejemplo por medio de sudo, para conseguir acceso de root. • https://bugzilla.redhat.com/show_bug.cgi?id=1975142 https://lists.debian.org/debian-lts-announce/2023/05/msg00028.html https://sssd.io/release-notes/sssd-2.6.0.html https://access.redhat.com/security/cve/CVE-2021-3621 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •