CVSS: 7.8EPSS: 80%CPEs: 444EXPL: 14CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.1EPSS: 0%CPEs: 18EXPL: 1CVE-2023-4853 – Quarkus: http security policy bypass
https://notcve.org/view.php?id=CVE-2023-4853
15 Sep 2023 — A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service. Se encontró una falla en Quarkus donde las políticas de seguridad HTTP no sanitiza correctamente ciertas permutaciones de caracteres al aceptar solicitudes, lo que res... • https://access.redhat.com/errata/RHSA-2023:5170 • CWE-148: Improper Neutralization of Input Leaders CWE-863: Incorrect Authorization •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2974 – Quarkus-core: tls protocol configured with quarkus.http.ssl.protocols is not enforced, client can enforce weaker supported tls protocol
https://notcve.org/view.php?id=CVE-2023-2974
30 Jun 2023 — A vulnerability was found in quarkus-core. This vulnerability occurs because the TLS protocol configured with quarkus.http.ssl.protocols is not enforced, and the client can force the selection of the weaker supported TLS protocol. • https://access.redhat.com/errata/RHSA-2023:3809 • CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-1664 – keycloak: Untrusted Certificate Validation
https://notcve.org/view.php?id=CVE-2023-1664
26 May 2023 — A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available".... • https://bugzilla.redhat.com/show_bug.cgi?id=2182196&comment#0 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 29EXPL: 0CVE-2023-1108 – Undertow: infinite loop in sslconduit during close
https://notcve.org/view.php?id=CVE-2023-1108
10 Mar 2023 — A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates. Se encontró una falla en undertow. Este problema hace posible lograr una denegación de servicio debido a un estado de protocolo de enlace inesperado actualizado en SslConduit, donde el bucle nunca termina • https://access.redhat.com/errata/RHSA-2023:1184 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 3.7EPSS: 0%CPEs: 9EXPL: 0CVE-2022-41862 – postgresql: Client memory disclosure when connecting with Kerberos to modified server
https://notcve.org/view.php?id=CVE-2022-41862
02 Mar 2023 — In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes. A flaw was found In PostgreSQL. A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions, a server can cause a libpq client to over-read and report an ... • https://bugzilla.redhat.com/show_bug.cgi?id=2165722 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2022-4492 – undertow: Server identity in https connection is not checked by the undertow client
https://notcve.org/view.php?id=CVE-2022-4492
23 Feb 2023 — The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol. A flaw was found in undertow. The undertow client is not checking the server identity the server certificate presents in HTTPS connections. • https://access.redhat.com/security/cve/CVE-2022-4492 • CWE-550: Server-generated Error Message Containing Sensitive Information •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-0044 – quarkus-vertx-http: a cross-site attack may be initiated which might lead to the Information Disclosure
https://notcve.org/view.php?id=CVE-2023-0044
15 Feb 2023 — If the Quarkus Form Authentication session cookie Path attribute is set to `/` then a cross-site attack may be initiated which might lead to the Information Disclosure. This attack can be prevented with the Quarkus CSRF Prevention feature. A flaw was found in Quarkus. If the Quarkus Form Authentication session cookie Path attribute is set to `/`, then a cross-site attack may be initiated, which might lead to information disclosure. • https://access.redhat.com/security/cve/CVE-2023-0044 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-4116 – quarkus_dev_ui: Dev UI Config Editor is vulnerable to drive-by localhost attacks leading to RCE
https://notcve.org/view.php?id=CVE-2022-4116
22 Nov 2022 — A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable to drive-by localhost attacks leading to remote code execution. Se encontró una vulnerabilidad en los quarkus. Esta falla de seguridad ocurre en Dev UI Config Editor, que es vulnerable a ataques de host local que conducen a la ejecución remota de código. A vulnerability was found in quarkus. • https://access.redhat.com/security/cve/CVE-2022-4116 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0CVE-2022-1259 – undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)
https://notcve.org/view.php?id=CVE-2022-1259
31 Aug 2022 — A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629. Se ha encontrado un fallo en Undertow. Un posible problema de seguridad en la administración del control de flujo por parte del navegador sobre HTTP/2 puede causar una sobrecarga o una denegación de servicio en el servidor. • https://access.redhat.com/security/cve/CVE-2022-1259 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •