Page 5 of 234 results (0.010 seconds)

CVSS: 5.0EPSS: 0%CPEs: 14EXPL: 1

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability. Se ha encontrado un fallo en la autenticación de usuarios en OpenID Connect de Keycloak, que podría autenticar incorrectamente las solicitudes. Un atacante autenticado que pudiera obtener información de una solicitud de usuario dentro del mismo entorno, podría utilizar esos datos para hacerse pasar por la víctima y generar nuevos tokens de sesión. • https://github.com/twwd/CVE-2023-0264 https://access.redhat.com/security/cve/CVE-2023-0264 https://bugzilla.redhat.com/show_bug.cgi?id=2160585 • CWE-287: Improper Authentication CWE-303: Incorrect Implementation of Authentication Algorithm •

CVSS: 8.0EPSS: 1%CPEs: 5EXPL: 0

An authentication bypass vulnerability was discovered in kube-apiserver. This issue could allow a remote, authenticated attacker who has been given permissions "update, patch" the "pods/ephemeralcontainers" subresource beyond what the default is. They would then need to create a new pod or patch one that they already have access to. This might allow evasion of SCC admission restrictions, thereby gaining control of a privileged pod. Se descubrió una vulnerabilidad de omisión de autenticación en kube-apiserver. • https://access.redhat.com/errata/RHSA-2023:3976 https://access.redhat.com/errata/RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4312 https://access.redhat.com/errata/RHSA-2023:4898 https://access.redhat.com/errata/RHSA-2023:5008 https://access.redhat.com/security/cve/CVE-2023-1260 https://bugzilla.redhat.com/show_bug.cgi?id=2176267 https://github.com/advisories/GHSA-92hx-3mh6-hc49 https://security.netapp.com/advisory/ntap-20231020-0010 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0

A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated. • https://access.redhat.com/security/cve/CVE-2023-3089 https://bugzilla.redhat.com/show_bug.cgi?id=2212085 https://access.redhat.com/security/vulnerabilities/RHSB-2023-001 • CWE-521: Weak Password Requirements CWE-693: Protection Mechanism Failure •

CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to other clients. Se encontró una falla en Keycloak. Un servidor Keycloak configurado para admitir la autenticación mTLS para clientes OAuth/OpenID no verifica correctamente la cadena de certificados del cliente. • https://access.redhat.com/errata/RHSA-2023:3883 https://access.redhat.com/errata/RHSA-2023:3884 https://access.redhat.com/errata/RHSA-2023:3885 https://access.redhat.com/errata/RHSA-2023:3888 https://access.redhat.com/errata/RHSA-2023:3892 https://access.redhat.com/security/cve/CVE-2023-2422 https://bugzilla.redhat.com/show_bug.cgi?id=2191668 • CWE-295: Improper Certificate Validation •

CVSS: 10.0EPSS: 0%CPEs: 13EXPL: 0

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri. • https://bugzilla.redhat.com/show_bug.cgi?id=2151618 https://github.com/keycloak/keycloak/commit/a1cfe6e24e5b34792699a00b8b4a8016a5929e3a https://access.redhat.com/security/cve/CVE-2022-4361 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-81: Improper Neutralization of Script in an Error Message Web Page •