CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-0084 – xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr
https://notcve.org/view.php?id=CVE-2022-0084
12 May 2022 — A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up. Se ha encontrado un fallo en XNIO, concretamente en el método notifyReadClosed. El problema reveló que este método estaba registrando un mensaje a otro extremo esperado. • https://access.redhat.com/security/cve/CVE-2022-0084 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2022-0853 – jboss-client: memory leakage in remote client transaction
https://notcve.org/view.php?id=CVE-2022-0853
11 Mar 2022 — A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability. Se ha encontrado un fallo en JBoss-client. La vulnerabilidad es producida debido a una pérdida de memoria en el lado del cliente de JBoss, cuando es usado UserTransaction repetidamente y conlleva a una vulnerabilidad de filtrado de información A flaw was found in the jboss-client. A memory leak on the JBoss client-side... • https://github.com/ByteHackr/CVE-2022-0853 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-3827 – keycloak-server-spi-private: ECP SAML binding bypasses authentication flows
https://notcve.org/view.php?id=CVE-2021-3827
18 Jan 2022 — A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. Se ha encontrado un fallo en keycloak, en el que el flujo de vinculación ECP por defecto permite omitir otros flujos de autenticación. Al exp... • https://access.redhat.com/security/cve/CVE-2021-3827 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 76%CPEs: 72EXPL: 1CVE-2021-4104 – Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
https://notcve.org/view.php?id=CVE-2021-4104
14 Dec 2021 — JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in Au... • https://github.com/cckuailong/log4shell_1.x • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 7.6EPSS: 0%CPEs: 6EXPL: 0CVE-2021-3632 – keycloak: Anyone can register a new device when there is no device registered for passwordless login
https://notcve.org/view.php?id=CVE-2021-3632
14 Sep 2021 — A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. Se ha encontrado un fallo en Keycloak. Esta vulnerabilidad permite a cualquiera registrar un nuevo dispositivo de seguridad o llave cuando no se presenta un dispositivo ya registrado para ningún usuario, al usar el flujo de inicio de sesión sin contraseña de WebAuthn. Red Hat Single Sign-On 7.4 is a ... • https://access.redhat.com/security/cve/CVE-2021-3632 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3637 – keycloak-model-infinispan: authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly could lead to a DoS attack
https://notcve.org/view.php?id=CVE-2021-3637
09 Jul 2021 — A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. Se ha encontrado un fallo en keycloak-model-infinispan en keycloak versiones anteriores a 14.0.0, donde el mapa authenticationSessions en RootAuthenticationSessionEntity crece ilimitadamente, lo que podría conllevar a un ataque de DoS A flaw was found in keycloak-model-infinispan where the authenticationSessio... • https://bugzilla.redhat.com/show_bug.cgi?id=1979638 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3461 – keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP
https://notcve.org/view.php?id=CVE-2021-3461
20 May 2021 — A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. Se ha encontrado un fallo en keycloak por el que keycloak puede fallar al cerrar la sesión del usuario si la petición de cierre de sesión proviene de un proveedor de identidad SAML externo y el tipo de principal está configurado como atributo [nombre] Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak... • https://bugzilla.redhat.com/show_bug.cgi?id=1941565 • CWE-613: Insufficient Session Expiration •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20262
https://notcve.org/view.php?id=CVE-2021-20262
09 Mar 2021 — A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Se encontró un fallo en Keycloak versión 12.0.0, donde no ocurre la re-autenticación mientras se actualiza la contraseña. Este fallo permite a un atacante apoderarse de una c... • https://bugzilla.redhat.com/show_bug.cgi?id=1933639 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 89%CPEs: 2EXPL: 1CVE-2020-27838
https://notcve.org/view.php?id=CVE-2020-27838
08 Mar 2021 — A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo en keycloak en versiones anteriores a 13.0.0. El endpoint de registro de clientes permite obtener información sobre clientes PÚBLICOS (como el secreto... • https://github.com/Cappricio-Securities/CVE-2020-27838 • CWE-287: Improper Authentication •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-10734
https://notcve.org/view.php?id=CVE-2020-10734
11 Feb 2021 — A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable. Se encontró una vulnerabilidad en keycloak en la forma en que el endpoint de cierre de sesión OIDC no tiene protección CSRF. Se cree que las versiones enviadas con Red Hat Fuse 7, Red Hat Single Sign-on 7 y Red Hat Openshift Application Runtimes son vulnerabl... • https://bugzilla.redhat.com/show_bug.cgi?id=1831662 • CWE-352: Cross-Site Request Forgery (CSRF) •