CVSS: 4.7EPSS: 0%CPEs: -EXPL: 0CVE-2024-9666 – Org.keycloak/keycloak-quarkus-server: keycloak proxy header handling denial-of-service (dos) vulnerability
https://notcve.org/view.php?id=CVE-2024-9666
The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. ... This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers. • https://access.redhat.com/errata/RHSA-2024:10175 https://access.redhat.com/errata/RHSA-2024:10176 https://access.redhat.com/errata/RHSA-2024:10177 https://access.redhat.com/errata/RHSA-2024:10178 https://access.redhat.com/security/cve/CVE-2024-9666 https://bugzilla.redhat.com/show_bug.cgi?id=2317440 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-50672
https://notcve.org/view.php?id=CVE-2024-50672
A NoSQL injection vulnerability in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. The vulnerability occurs due to insufficient validation of user input, which is used as a query in Mongoose's find() function. This makes it possible for attackers to perform a full takeover of the administrator account. Attackers can then use the newly gained administrative privileges to upload a custom plugin to perform remote code execution (RCE) on the server hosting the web application. • https://github.com/adaptlearning/adapt_authoring https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2024-50672 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: -EXPL: 0CVE-2024-50671
https://notcve.org/view.php?id=CVE-2024-50671
Incorrect access control in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows attackers with Authenticated User roles to obtain email addresses via the "Get users" feature. The vulnerability occurs due to a flaw in permission verification logic, where the wildcard character in permitted URLs grants unintended access to endpoints restricted to users with Super Admin roles. This makes it possible for attackers to disclose the email addresses of all users. • https://github.com/adaptlearning/adapt_authoring https://github.com/dos-m0nk3y/CVE/tree/main/CVE-2024-50671 • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-53901
https://notcve.org/view.php?id=CVE-2024-53901
The Imager package before 1.025 for Perl has a heap-based buffer overflow leading to denial of service, or possibly unspecified other impact, when the trim() method is called on a crafted input image. • https://github.com/briandfoy/cpan-security-advisory/issues/167 https://github.com/briandfoy/cpan-security-advisory/issues/171 https://github.com/tonycoz/imager/issues/534 https://metacpan.org/release/TONYC/Imager-1.025/changes • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 5.3EPSS: 0%CPEs: -EXPL: 0CVE-2024-41761 – IBM Db2 denial of service
https://notcve.org/view.php?id=CVE-2024-41761
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. • https://www.ibm.com/support/pages/node/7175947 • CWE-789: Memory Allocation with Excessive Size Value •