CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0105 – keycloak: impersonation and lockout possible through incorrect handling of email trust
https://notcve.org/view.php?id=CVE-2023-0105
11 Jan 2023 — A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them. Se encontró una falla en Keycloak. Esta falla permite la suplantación y el bloqueo debido a que la confianza del correo electrónico no se maneja correctamente en Keycloak. • https://access.redhat.com/security/cve/CVE-2023-0105 • CWE-287: Improper Authentication CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 4.7EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0091 – keycloak: Client Registration endpoint does not check token revocation
https://notcve.org/view.php?id=CVE-2023-0091
11 Jan 2023 — A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information. Se encontró una falla en Keycloak, donde no verificó adecuadamente los tokens de los clientes para detectar una posible revocación en su flujo de credenciales de cliente. Esta falla permite a un atacante acceder o modificar información potencialmente confidencial. Red Hat Single Sign-On 7.6 is a ... • https://access.redhat.com/security/cve/CVE-2023-0091 • CWE-20: Improper Input Validation CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-1278 – WildFly: possible information disclosure
https://notcve.org/view.php?id=CVE-2022-1278
13 Sep 2022 — A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. Se ha encontrado un fallo en WildFly, en el que un atacante puede visualizar los nombres de los despliegues, los endpoints y cualquier otro dato que pueda contener la carga útil de rastreo A flaw was found in WildFly. This flaw allows an attacker to see deployment names, endpoints, and any other data the trace payload may contain. AMQ Broker is a high-performance messaging im... • https://bugzilla.redhat.com/show_bug.cgi?id=2073401 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 6.1EPSS: 0%CPEs: 13EXPL: 0CVE-2022-2764 – Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations
https://notcve.org/view.php?id=CVE-2022-2764
01 Sep 2022 — A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations. Se ha encontrado un fallo en Undertow. Puede producirse una denegación de servicio ya que el servidor de Undertow espera eternamente el LAST_CHUNK para las invocaciones EJB A flaw was found in Undertow with EJB invocations. This flaw allows an attacker to generate a valid HTTP request and send it to the server on an established connection after removing the LAST_CHUNK from... • https://bugzilla.redhat.com/show_bug.cgi?id=2117506 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 1CVE-2022-0225 – keycloak: Stored XSS in groups dropdown
https://notcve.org/view.php?id=CVE-2022-0225
26 Aug 2022 — A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack. Se ha encontrado un fallo en Keycloak. Este fallo permite a un atacante privilegiado usar la carga útil maliciosa como nombre del grupo mientras es creado un nuevo grupo desde la consola de administración, conllevando a un ataque de tipo Cross-site scripting (XSS) almacenado. Red Hat Singl... • https://bugzilla.redhat.com/show_bug.cgi?id=2040268 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 4%CPEs: 2EXPL: 1CVE-2021-3754
https://notcve.org/view.php?id=CVE-2021-3754
26 Aug 2022 — A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. Se ha encontrado un fallo en keycloak por el que un atacante puede registrarse con el mismo nombre de usuario que el ID de correo electrónico de cualquier usuario existente. Esto puede causar problemas a la hora de recibir el correo electrónico de recuperación de la contraseña e... • https://github.com/7Ragnarok7/CVE-2021-3754 • CWE-20: Improper Input Validation •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2668 – keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console
https://notcve.org/view.php?id=CVE-2022-2668
05 Aug 2022 — An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled Se ha detectado un problema en Keycloak que permite cargar Javascript arbitrario para el mapeador del protocolo SAML incluso si la función UPLOAD_SCRIPTS está deshabilitada A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled. Red Hat Sin... • https://access.redhat.com/security/cve/CVE-2022-2668 • CWE-440: Expected Behavior Violation •
CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0CVE-2022-1259 – undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)
https://notcve.org/view.php?id=CVE-2022-1259
27 Jul 2022 — A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629. Se ha encontrado un fallo en Undertow. Un posible problema de seguridad en la administración del control de flujo por parte del navegador sobre HTTP/2 puede causar una sobrecarga o una denegación de servicio en el servidor. • https://access.redhat.com/security/cve/CVE-2022-1259 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2256 – Visualizer: Tables and Charts Manager for WordPress <= 3.7.9 - Authenticated (Contributor+) PHAR Deserialization
https://notcve.org/view.php?id=CVE-2022-2256
05 Jul 2022 — A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality. Se ha encontrado una vulnerabilidad de tipo Cross-site scripting (XSS) Almacenado en keycloak tal y como es suministrado en Red Hat Single Sign-On versión 7. Este fallo permite a un atacante privilegiado ejecutar scripts maliciosos en la consola de administración, abus... • https://bugzilla.redhat.com/show_bug.cgi?id=2101942 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 0CVE-2022-1319 – undertow: Double AJP response for 400 from EAP 7 results in CPING failures
https://notcve.org/view.php?id=CVE-2022-1319
07 Jun 2022 — A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG. Se ha encontrado un fallo en Undertow. Para una respuesta AJP 400, EAP 7 envía inapropiadamente el flag de reúso habilitado aunque JBoss EAP cierra la conexión. es producido ... • https://access.redhat.com/security/cve/CVE-2022-1319 • CWE-252: Unchecked Return Value •