CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-10734
https://notcve.org/view.php?id=CVE-2020-10734
11 Feb 2021 — A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable. Se encontró una vulnerabilidad en keycloak en la forma en que el endpoint de cierre de sesión OIDC no tiene protección CSRF. Se cree que las versiones enviadas con Red Hat Fuse 7, Red Hat Single Sign-on 7 y Red Hat Openshift Application Runtimes son vulnerabl... • https://bugzilla.redhat.com/show_bug.cgi?id=1831662 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-1717
https://notcve.org/view.php?id=CVE-2020-1717
11 Feb 2021 — A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. Se encontró un fallo en Keycloak versión 7.0.1. Un usuario que haya iniciado sesión puede llevar a cabo un ataque de enumeración de correo electrónico de la cuenta • https://bugzilla.redhat.com/show_bug.cgi?id=1796281 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14341
https://notcve.org/view.php?id=CVE-2020-14341
12 Jan 2021 — The "Test Connection" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user's choosing, and originating from the RHSSO installation. By observing differences in the timings of these scans, an attacker may glean information about hosts and ports which they do not have access to scan directly. La "Test Connection" disponible en la versión v7.x de la consola de la aplicación Red Hat Si... • https://bugzilla.redhat.com/show_bug.cgi?id=1860138 • CWE-385: Covert Timing Channel •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10695 – containers/redhat-sso-7: /etc/passwd is given incorrect privileges
https://notcve.org/view.php?id=CVE-2020-10695
16 Dec 2020 — An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container. An attacker with access to the container can use this flaw to modify the /etc/passwd and escalate their privileges. Se encontró un fallo de modificación no segura del archivo /etc/passwd en el contenedor redhat-sso-7. Un atacante con acceso al contenedor puede usar este fallo para modificar el archivo /etc/passwd y escalar sus privilegios Red Hat Single Sign-On is an integrated sign-on solution, available as ... • https://bugzilla.redhat.com/show_bug.cgi?id=1817530 • CWE-266: Incorrect Privilege Assignment •
CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 0CVE-2020-27826 – keycloak: Account REST API can update user metadata attributes
https://notcve.org/view.php?id=CVE-2020-27826
16 Dec 2020 — A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. Se encontró un fallo en Keycloak versiones anteriores a 12.0.0, donde es posible actualizar los atributos de metadatos del usuario usando la API REST de la cuenta. Este fallo permite a un atacante cambiar su propio atributo NameID para hacerse ... • https://bugzilla.redhat.com/show_bug.cgi?id=1905089 • CWE-250: Execution with Unnecessary Privileges •
CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 1CVE-2020-25689 – wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
https://notcve.org/view.php?id=CVE-2020-25689
30 Oct 2020 — A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. Se encontró una fallo de filtrado de memoria en WildFly en todas las versiones hasta 21.0.0.Final, donde el c... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-14299 – picketbox: JBoss EAP reload to admin-only mode allows authentication bypass
https://notcve.org/view.php?id=CVE-2020-14299
13 Oct 2020 — A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability. Se encontró un fallo en JBoss EAP, donde la configuración de autenticación se configura usando un SecurityRealm heredado, para delegarlo ... • https://bugzilla.redhat.com/show_bug.cgi?id=1848533 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2020-25644 – wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
https://notcve.org/view.php?id=CVE-2020-25644
06 Oct 2020 — A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability. Se encontró un fallo de pérdida de memoria en WildFly OpenSSL en versiones anteriores a 1.1.3.Final, donde se elimina una sesión HTTP. Puede permitir a un atacante causar OOM conllevando a una denegación de servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=1885485 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-10758 – keycloak: DoS by sending multiple simultaneous requests with a Content-Length header value greater than actual byte count of request body
https://notcve.org/view.php?id=CVE-2020-10758
19 Aug 2020 — A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. Se encontró una vulnerabilidad en Keycloak versiones anteriores a 11.0.1, donde el ataque de DoS es posible mediante el envío de veinte peticiones simultáneamente hacia el servidor de keycloak especificado, todas con un valor de encabezado Content-Length que e... • https://bugzilla.redhat.com/show_bug.cgi?id=1843849 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-14297 – wildfly: Some EJB transaction objects may get accumulated causing Denial of Service
https://notcve.org/view.php?id=CVE-2020-14297
24 Jul 2020 — A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable. Se detectó un fallo en Wildfly's EJB Client que se incluyó con Red Hat JBoss EAP 7, donde algunos objetos de transacción EJB específicos pueden ser acumulados con el tiempo y pueden causar q... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14297 • CWE-400: Uncontrolled Resource Consumption •