CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2018-14657 – keycloak: brute force protection not working for the entire login workflow
https://notcve.org/view.php?id=CVE-2018-14657
A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures. Se ha descubierto un error en Keycloak 4.2.1.Final y 4.3.0.Final. Cuando TOPT está habilitado, la implementación incorrecta del algoritmo de detección de fuerza bruta no aplica sus medidas de protección. • https://access.redhat.com/errata/RHSA-2018:3592 https://access.redhat.com/errata/RHSA-2018:3593 https://access.redhat.com/errata/RHSA-2018:3595 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14657 https://access.redhat.com/security/cve/CVE-2018-14657 https://bugzilla.redhat.com/show_bug.cgi?id=1625404 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 5.4EPSS: 0%CPEs: 8EXPL: 0CVE-2018-14655 – keycloak: XSS-Vulnerability with response_mode=form_post
https://notcve.org/view.php?id=CVE-2018-14655
A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login. Se ha descubierto un error en Keycloak 3.4.3.Final, 4.0.0.Beta2 y 4.3.0.Final. Al emplear "response_mode=form_post", es posible inyectar código JavaScript arbitrario mediante el parámetro "state" en la URL de autenticación. • https://access.redhat.com/errata/RHSA-2018:3592 https://access.redhat.com/errata/RHSA-2018:3593 https://access.redhat.com/errata/RHSA-2018:3595 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655 https://access.redhat.com/security/cve/CVE-2018-14655 https://bugzilla.redhat.com/show_bug.cgi?id=1625396 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.9EPSS: 0%CPEs: 4EXPL: 0CVE-2018-7110
https://notcve.org/view.php?id=CVE-2018-7110
A remote unauthorized disclosure of information vulnerability was identified in HPE Service Governance Framework (SGF) version 4.2, 4.3. A race condition under high load in SGF exists where SGF transferred different parameter to the enabler. Se ha identificado una vulnerabilidad de divulgación de información remota no autorizada en HPE Service Governance Framework (SGF) en versiones 4.2 y 4.3. Existe una condición de carrera bajo una gran carga en SGF cuando éste transmitió un parámetro diferente al enabler. • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03890en_us • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 1CVE-2018-17962 – QEMU: pcnet: integer overflow leads to buffer overflow
https://notcve.org/view.php?id=CVE-2018-17962
Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. Qemu tiene un desbordamiento de búfer en pcnet_receive en hw/net/pcnet.c debido a que se emplea un tipo de datos de enteros incorrecto. An integer overflow issue was found in the AMD PC-Net II NIC emulation in QEMU. It could occur while receiving packets, if the size value was greater than INT_MAX. Such overflow would lead to stack buffer overflow issue. • http://www.openwall.com/lists/oss-security/2018/10/08/1 https://access.redhat.com/errata/RHSA-2019:2892 https://access.redhat.com/security/cve/cve-2018-17962 https://linux.oracle.com/cve/CVE-2018-17962.html https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03268.html https://usn.ubuntu.com/3826-1 https://www.debian.org/security/2018/dsa-4338 https://www.suse.com/security/cve/CVE-2 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •
CVSS: 7.5EPSS: 2%CPEs: 6EXPL: 1CVE-2018-1041 – JBoss Remoting 6.14.18 - Denial of Service
https://notcve.org/view.php?id=CVE-2018-1041
A vulnerability was found in the way RemoteMessageChannel, introduced in jboss-remoting versions 3.3.10, reads from an empty buffer. An attacker could use this flaw to cause denial of service via high CPU caused by an infinite loop. Se ha encontrado una vulnerabilidad en la forma en la que RemoteMessageChannel, introducido en las versiones 3.3.10 de jboss-remoting, lee desde un búfer vacío. Un atacante podría emplear este error para provocar una denegación de servicio (DoS) mediante un consumo alto de CPU a través de un bucle infinito. A vulnerability was found in the way RemoteMessageChannel, introduced in jboss-remoting versions 3.3.10.Final-redhat-1, reads from an empty buffer. • https://www.exploit-db.com/exploits/44099 http://www.securitytracker.com/id/1040323 https://access.redhat.com/errata/RHSA-2018:0268 https://access.redhat.com/errata/RHSA-2018:0269 https://access.redhat.com/errata/RHSA-2018:0270 https://access.redhat.com/errata/RHSA-2018:0271 https://access.redhat.com/errata/RHSA-2018:0275 https://bugzilla.redhat.com/show_bug.cgi?id=1530457 https://access.redhat.com/security/cve/CVE-2018-1041 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •