CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 0CVE-2024-6162 – Undertow: url-encoded request path information can be broken on ajp-listener
https://notcve.org/view.php?id=CVE-2024-6162
20 Jun 2024 — A vulnerability was found in Undertow. URL-encoded request path information can be broken for concurrent requests on ajp-listener, causing the wrong path to be processed and resulting in a possible denial of service. A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being proces... • https://access.redhat.com/security/cve/CVE-2024-6162 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.1EPSS: 0%CPEs: 11EXPL: 0CVE-2024-4029 – Wildfly: no timeout for eap management interface may lead to denial of service (dos)
https://notcve.org/view.php?id=CVE-2024-4029
02 May 2024 — A vulnerability was found in Wildfly’s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections. Se encontró una vulnerabilidad en la interfaz de administración de Wildfly. Debido a la falta de limitación de sockets para la interfaz de administración, es posible que se produzca una denegación de servicio que alcance el lím... • https://access.redhat.com/security/cve/CVE-2024-4029 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-1102 – Jberet: jberet-core logging database credentials
https://notcve.org/view.php?id=CVE-2024-1102
25 Apr 2024 — A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection. Se encontró una vulnerabilidad en jberet-core logging. Una excepción en 'dbProperties' podría mostrar credenciales de usuario, como el nombre de usuario y la contraseña para la conexión a la base de datos. • https://access.redhat.com/errata/RHSA-2024:3580 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-523: Unprotected Transport of Credentials •
CVSS: 6.4EPSS: 0%CPEs: 23EXPL: 0CVE-2023-6717 – Keycloak: xss via assertion consumer service url in saml post-binding flow
https://notcve.org/view.php?id=CVE-2023-6717
25 Apr 2024 — A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising... • https://access.redhat.com/errata/RHSA-2024:1867 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 22EXPL: 0CVE-2024-1249 – Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos
https://notcve.org/view.php?id=CVE-2024-1249
17 Apr 2024 — A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. Se encontró una falla en el componente OIDC de Keycloak en "checkLoginIframe", que permite mensajes de origen cruzado no validados. Esta falla permite a los atacantes coordinar y ... • https://access.redhat.com/errata/RHSA-2024:1860 • CWE-346: Origin Validation Error •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2023-6236 – Eap: oidc app attempting to access the second tenant, the user should be prompted to log
https://notcve.org/view.php?id=CVE-2023-6236
10 Apr 2024 — A flaw was found in Red Hat Enterprise Application Platform 8. When an OIDC app that serves multiple tenants attempts to access the second tenant, it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying issue is in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option. EAP-7 does not provide the ... • https://access.redhat.com/errata/RHSA-2024:3580 • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-1233 – Eap: wildfly-elytron has a ssrf security issue
https://notcve.org/view.php?id=CVE-2024-1233
09 Apr 2024 — A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability. Se encontró una falla en `JwtValidator.resolvePublicKey` en JBoss EAP, donde el validador verifica jku y envía una solicitud HTTP. Durante este proceso, no se realiza ninguna lista blanca ni ningún otro comp... • https://access.redhat.com/errata/RHSA-2024:3559 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.5EPSS: 0%CPEs: 31EXPL: 0CVE-2024-1300 – Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
https://notcve.org/view.php?id=CVE-2024-1300
02 Apr 2024 — A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error. Una vulnerabilidad en Eclipse Vert.x toolkit provoca una pérdida de m... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.8EPSS: 0%CPEs: 31EXPL: 0CVE-2024-1023 – Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx
https://notcve.org/view.php?id=CVE-2024-1023
27 Mar 2024 — A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory le... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2023-5685 – Xnio: stackoverflowexception when the chain of notifier states becomes problematically big
https://notcve.org/view.php?id=CVE-2023-5685
22 Mar 2024 — A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS). Se encontró una falla en XNIO. El XNIO NotifierState que puede provocar una excepción de desbordamiento de pila cuando la cadena de estados de notificador se vuelve problemáticamente grande puede provocar una gestión descontrolada de recursos y una posible denegación de s... • https://access.redhat.com/errata/RHSA-2023:7637 • CWE-400: Uncontrolled Resource Consumption •