CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3461 – keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP
https://notcve.org/view.php?id=CVE-2021-3461
20 May 2021 — A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. Se ha encontrado un fallo en keycloak por el que keycloak puede fallar al cerrar la sesión del usuario si la petición de cierre de sesión proviene de un proveedor de identidad SAML externo y el tipo de principal está configurado como atributo [nombre] Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak... • https://bugzilla.redhat.com/show_bug.cgi?id=1941565 • CWE-613: Insufficient Session Expiration •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20262
https://notcve.org/view.php?id=CVE-2021-20262
09 Mar 2021 — A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. Se encontró un fallo en Keycloak versión 12.0.0, donde no ocurre la re-autenticación mientras se actualiza la contraseña. Este fallo permite a un atacante apoderarse de una c... • https://bugzilla.redhat.com/show_bug.cgi?id=1933639 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 89%CPEs: 2EXPL: 1CVE-2020-27838
https://notcve.org/view.php?id=CVE-2020-27838
08 Mar 2021 — A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo en keycloak en versiones anteriores a 13.0.0. El endpoint de registro de clientes permite obtener información sobre clientes PÚBLICOS (como el secreto... • https://github.com/Cappricio-Securities/CVE-2020-27838 • CWE-287: Improper Authentication •
CVSS: 3.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-10734
https://notcve.org/view.php?id=CVE-2020-10734
11 Feb 2021 — A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable. Se encontró una vulnerabilidad en keycloak en la forma en que el endpoint de cierre de sesión OIDC no tiene protección CSRF. Se cree que las versiones enviadas con Red Hat Fuse 7, Red Hat Single Sign-on 7 y Red Hat Openshift Application Runtimes son vulnerabl... • https://bugzilla.redhat.com/show_bug.cgi?id=1831662 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.0EPSS: 0%CPEs: 4EXPL: 0CVE-2020-1717
https://notcve.org/view.php?id=CVE-2020-1717
11 Feb 2021 — A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. Se encontró un fallo en Keycloak versión 7.0.1. Un usuario que haya iniciado sesión puede llevar a cabo un ataque de enumeración de correo electrónico de la cuenta • https://bugzilla.redhat.com/show_bug.cgi?id=1796281 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 1CVE-2020-25689 – wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
https://notcve.org/view.php?id=CVE-2020-25689
30 Oct 2020 — A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. Se encontró una fallo de filtrado de memoria en WildFly en todas las versiones hasta 21.0.0.Final, donde el c... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-14299 – picketbox: JBoss EAP reload to admin-only mode allows authentication bypass
https://notcve.org/view.php?id=CVE-2020-14299
13 Oct 2020 — A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability. Se encontró un fallo en JBoss EAP, donde la configuración de autenticación se configura usando un SecurityRealm heredado, para delegarlo ... • https://bugzilla.redhat.com/show_bug.cgi?id=1848533 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2020-25644 – wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
https://notcve.org/view.php?id=CVE-2020-25644
06 Oct 2020 — A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability. Se encontró un fallo de pérdida de memoria en WildFly OpenSSL en versiones anteriores a 1.1.3.Final, donde se elimina una sesión HTTP. Puede permitir a un atacante causar OOM conllevando a una denegación de servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=1885485 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-10758 – keycloak: DoS by sending multiple simultaneous requests with a Content-Length header value greater than actual byte count of request body
https://notcve.org/view.php?id=CVE-2020-10758
19 Aug 2020 — A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. Se encontró una vulnerabilidad en Keycloak versiones anteriores a 11.0.1, donde el ataque de DoS es posible mediante el envío de veinte peticiones simultáneamente hacia el servidor de keycloak especificado, todas con un valor de encabezado Content-Length que e... • https://bugzilla.redhat.com/show_bug.cgi?id=1843849 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.8EPSS: 0%CPEs: 13EXPL: 0CVE-2020-10687 – Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests
https://notcve.org/view.php?id=CVE-2020-10687
17 Aug 2020 — A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. Se detectó un fallo en todas las versiones de Undertow versiones anteriores a Undertow 2.2.0.Final, donde el tráfico malicioso de peticiones... • https://bugzilla.redhat.com/show_bug.cgi?id=1785049 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •