CVSS: 4.1EPSS: 0%CPEs: 11EXPL: 0CVE-2024-4029 – Wildfly: no timeout for eap management interface may lead to denial of service (dos)
https://notcve.org/view.php?id=CVE-2024-4029
02 May 2024 — A vulnerability was found in Wildfly’s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections. Se encontró una vulnerabilidad en la interfaz de administración de Wildfly. Debido a la falta de limitación de sockets para la interfaz de administración, es posible que se produzca una denegación de servicio que alcance el lím... • https://access.redhat.com/security/cve/CVE-2024-4029 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-1102 – Jberet: jberet-core logging database credentials
https://notcve.org/view.php?id=CVE-2024-1102
25 Apr 2024 — A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection. Se encontró una vulnerabilidad en jberet-core logging. Una excepción en 'dbProperties' podría mostrar credenciales de usuario, como el nombre de usuario y la contraseña para la conexión a la base de datos. • https://access.redhat.com/errata/RHSA-2024:3580 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-523: Unprotected Transport of Credentials •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-6787 – Keycloak: session hijacking via re-authentication
https://notcve.org/view.php?id=CVE-2023-6787
25 Apr 2024 — A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting "Restart login," an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session. S... • https://access.redhat.com/errata/RHSA-2024:1867 • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 0%CPEs: 23EXPL: 0CVE-2023-6717 – Keycloak: xss via assertion consumer service url in saml post-binding flow
https://notcve.org/view.php?id=CVE-2023-6717
25 Apr 2024 — A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising... • https://access.redhat.com/errata/RHSA-2024:1867 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-6544 – Keycloak: authorization bypass
https://notcve.org/view.php?id=CVE-2023-6544
25 Apr 2024 — A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized. Se encontró una falla en el paquete Keycloak. Este problema se produce debido a una expresión regular permisiva codificada para el filtrado q... • https://access.redhat.com/errata/RHSA-2024:1860 • CWE-625: Permissive Regular Expression •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-3597 – Keycloak: secondary factor bypass in step-up authentication
https://notcve.org/view.php?id=CVE-2023-3597
25 Apr 2024 — A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication. Se encontró una falla en Keycloak, donde no valida correctamente la autenticación incremental de su cliente en org.keycloak.authentication. Esta falla permite que un usuario remoto autenticado con una contraseña reg... • https://access.redhat.com/errata/RHSA-2024:1867 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2419 – Keycloak: path traversal in the redirect validation
https://notcve.org/view.php?id=CVE-2024-2419
17 Apr 2024 — A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other users. It is very similar to CVE-2023-6291. Se encontró una falla en la lógica de validación de redirección_uri de Keycloak. • https://access.redhat.com/errata/RHSA-2024:1867 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.8EPSS: 0%CPEs: 22EXPL: 0CVE-2024-1249 – Keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkloginiframe leads to ddos
https://notcve.org/view.php?id=CVE-2024-1249
17 Apr 2024 — A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. Se encontró una falla en el componente OIDC de Keycloak en "checkLoginIframe", que permite mensajes de origen cruzado no validados. Esta falla permite a los atacantes coordinar y ... • https://access.redhat.com/errata/RHSA-2024:1860 • CWE-346: Origin Validation Error •
CVSS: 9.4EPSS: 0%CPEs: 21EXPL: 0CVE-2024-1132 – Keycloak: path transversal in redirection validation
https://notcve.org/view.php?id=CVE-2024-1132
17 Apr 2024 — A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL. Se encontró una falla en Keycloak, donde no valida correctamente las URL incluidas en una ... • https://access.redhat.com/errata/RHSA-2024:1860 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.4EPSS: 0%CPEs: 3EXPL: 0CVE-2023-0657 – Keycloak: impersonation via logout token exchange
https://notcve.org/view.php?id=CVE-2023-0657
17 Apr 2024 — A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. A bug update is now available for Red Hat build of Keycloak 22.0.10 images running on OpenShift Container Platform. This is an enhancement and security update with Moderate impact rating. • https://access.redhat.com/errata/RHSA-2024:1867 • CWE-273: Improper Check for Dropped Privileges •