CVSS: 5.3EPSS: 1%CPEs: 4EXPL: 0CVE-2023-6484 – Keycloak: log injection during webauthn authentication or registration
https://notcve.org/view.php?id=CVE-2023-6484
17 Apr 2024 — A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity. Se encontró una falla de inyección de registros en Keycloak. Se puede inyectar una cadena de texto a través del formulario de autenticación cuando se utiliza el modo de autenticación WebAuthn. • https://access.redhat.com/errata/RHSA-2024:0798 • CWE-117: Improper Output Neutralization for Logs •
CVSS: 7.0EPSS: 0%CPEs: 11EXPL: 0CVE-2024-2700 – Quarkus-core: leak of local configuration properties into quarkus applications
https://notcve.org/view.php?id=CVE-2024-2700
04 Apr 2024 — A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are conf... • https://access.redhat.com/errata/RHSA-2024:2106 • CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable •
CVSS: 5.5EPSS: 1%CPEs: 31EXPL: 0CVE-2024-1300 – Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support
https://notcve.org/view.php?id=CVE-2024-1300
02 Apr 2024 — A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error. Una vulnerabilidad en Eclipse Vert.x toolkit provoca una pérdida de m... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.8EPSS: 3%CPEs: 31EXPL: 0CVE-2024-1023 – Io.vertx/vertx-core: memory leak due to the use of netty fastthreadlocal data structures in vertx
https://notcve.org/view.php?id=CVE-2024-1023
27 Mar 2024 — A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory le... • https://access.redhat.com/errata/RHSA-2024:1662 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 3%CPEs: 18EXPL: 0CVE-2023-5685 – Xnio: stackoverflowexception when the chain of notifier states becomes problematically big
https://notcve.org/view.php?id=CVE-2023-5685
22 Mar 2024 — A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS). Se encontró una falla en XNIO. El XNIO NotifierState que puede provocar una excepción de desbordamiento de pila cuando la cadena de estados de notificador se vuelve problemáticamente grande puede provocar una gestión descontrolada de recursos y una posible denegación de s... • https://access.redhat.com/errata/RHSA-2023:7637 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-1722 – Keycloak-core: dos via account lockout
https://notcve.org/view.php?id=CVE-2024-1722
27 Feb 2024 — A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in. Se encontró una falla en Keycloak. En determinadas condiciones, este problema puede permitir que un atacante remoto no autenticado bloquee el inicio de sesión de otras cuentas. • https://access.redhat.com/security/cve/CVE-2024-1722 • CWE-645: Overly Restrictive Account Lockout Mechanism •
CVSS: 9.4EPSS: 63%CPEs: 26EXPL: 0CVE-2024-1635 – Undertow: out-of-memory error after several closed connections with wildfly-http-client protocol
https://notcve.org/view.php?id=CVE-2024-1635
19 Feb 2024 — A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting Ser... • https://access.redhat.com/errata/RHSA-2024:1674 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 17EXPL: 0CVE-2023-6291 – Keycloak: redirect_uri validation bypass
https://notcve.org/view.php?id=CVE-2023-6291
26 Jan 2024 — A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. Se encontró un fallo en la lógica de validación de redirect_uri en Keycloak. Este problema puede permitir la omisión de hosts permitidos explícitamente. • https://access.redhat.com/errata/RHSA-2023:7854 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6927 – Keycloak: open redirect via "form_post.jwt" jarm response mode
https://notcve.org/view.php?id=CVE-2023-6927
18 Dec 2023 — A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134. Se encontró una falla en Keycloak. Este problema puede permitir que un atacante robe códigos de autorización o tokens de clientes usando un comodín en el modo de respuesta JARM "form_post.jwt" que podría usarse para eludir el parche de seguridad imple... • https://access.redhat.com/errata/RHSA-2024:0094 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.9EPSS: 69%CPEs: 79EXPL: 3CVE-2023-48795 – ssh: Prefix truncation attack on Binary Packet Protocol (BPP)
https://notcve.org/view.php?id=CVE-2023-48795
18 Dec 2023 — The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phas... • https://packetstorm.news/files/id/176280 • CWE-222: Truncation of Security-relevant Information CWE-354: Improper Validation of Integrity Check Value •