Page 3 of 73 results (0.016 seconds)

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 2

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. Debido a una autorización inapropiada, Red Hat Single Sign-On es vulnerable a que usuarios lleven a cabo acciones que no deberían estar autorizados a realizar. Era posible añadir usuarios al reino maestro aunque no sea concedido el permiso correspondiente A flaw was found in Keycloak. The Red Hat Single Sign-On allowed authed users to perform actions outside their permissions. • https://bugzilla.redhat.com/show_bug.cgi?id=2050228 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076 https://access.redhat.com/security/cve/CVE-2022-1466 • CWE-863: Incorrect Authorization CWE-1220: Insufficient Granularity of Access Control •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. Se ha identificado una vulnerabilidad de tipo Cross Site Scripting reflejado basada en POST en Keycloak A flaw has been found in Keycloak. The clients-registrations endpoint allows execution of javascript code on the client-side, which makes it vulnerable to a Cross-Site Scripting attack. • https://github.com/ndmalc/CVE-2021-20323 https://github.com/Cappricio-Securities/CVE-2021-20323 https://github.com/cscpwn0sec/CVE-2021-20323 https://bugzilla.redhat.com/show_bug.cgi?id=2013577 https://access.redhat.com/security/cve/CVE-2021-20323 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. Se ha encontrado un fallo en keycloak, en el que el flujo de vinculación ECP por defecto permite omitir otros flujos de autenticación. Al explotar este comportamiento, un atacante puede omitir la autenticación MFA mediante el envío de una petición SOAP con un encabezado AuthnRequest y Authorization con las credenciales del usuario. • https://access.redhat.com/security/cve/CVE-2021-3827 https://bugzilla.redhat.com/show_bug.cgi?id=2007512 https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v • CWE-287: Improper Authentication •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. Se ha encontrado un fallo en Keycloak en las versiones a partir de la 12.0.0 y anteriores hasta 15.1.1, que permite a un atacante con cualquier cuenta de usuario existente crear nuevas cuentas de usuario por defecto por medio de la API REST administrativa incluso cuando el registro de nuevos usuarios está deshabilitado A flaw was found in Keycloak version from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. • https://bugzilla.redhat.com/show_bug.cgi?id=2033602 https://github.com/keycloak/keycloak/issues/9247 https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2021-4133 • CWE-863: Incorrect Authorization •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo en keycloak afectado a versiones 11.0.3 y 12.0.0. Un certificado caducado sería aceptado por el autenticador de concesión directa debido a una falta de comprobaciones de la marca de tiempo. • https://access.redhat.com/security/cve/cve-2020-35509 https://access.redhat.com/security/cve/CVE-2020-35509 https://bugzilla.redhat.com/show_bug.cgi?id=1912427 • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •