CVE-2023-38732 – IBM Robotic Process Automation information disclosure
https://notcve.org/view.php?id=CVE-2023-38732
IBM Robotic Process Automation 21.0.0 through 21.0.7 server could allow an authenticated user to view sensitive information from application logs. IBM X-Force ID: 262289. El servidor IBM Robotic Process Automation v21.0.0 a v21.0.7 podría permitir a un usuario autenticado ver información confidencial de los registros de la aplicación. IBM X-Force ID: 262289. • https://exchange.xforce.ibmcloud.com/vulnerabilities/262289 https://www.ibm.com/support/pages/node/7028221 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2023-4456 – Openshift-logging: lokistack authorisation is cached too broadly
https://notcve.org/view.php?id=CVE-2023-4456
A flaw was found in openshift-logging LokiStack. The key used for caching is just the token, which is too broad. This issue allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached. Se encontró una falla en Openshift-logging LokiStack. La clave utilizada para el almacenamiento en caché es solo el token, que es demasiado amplio. • https://access.redhat.com/errata/RHSA-2023:4933 https://access.redhat.com/errata/RHSA-2023:5095 https://access.redhat.com/errata/RHSA-2023:5096 https://access.redhat.com/security/cve/CVE-2023-4456 https://bugzilla.redhat.com/show_bug.cgi?id=2233087 • CWE-1220: Insufficient Granularity of Access Control •
CVE-2023-3223 – Undertow: outofmemoryerror due to @multipartconfig handling
https://notcve.org/view.php?id=CVE-2023-3223
A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null. Se encontró una falla en el undertow. • https://access.redhat.com/errata/RHSA-2023:4505 https://access.redhat.com/errata/RHSA-2023:4506 https://access.redhat.com/errata/RHSA-2023:4507 https://access.redhat.com/errata/RHSA-2023:4509 https://access.redhat.com/errata/RHSA-2023:4918 https://access.redhat.com/errata/RHSA-2023:4919 https://access.redhat.com/errata/RHSA-2023:4920 https://access.redhat.com/errata/RHSA-2023:4921 https://access.redhat.com/errata/RHSA-2023:4924 https://access.redhat.com/errata/RHSA • CWE-789: Memory Allocation with Excessive Size Value •
CVE-2023-0264 – keycloak: user impersonation via stolen uuid code
https://notcve.org/view.php?id=CVE-2023-0264
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability. Se ha encontrado un fallo en la autenticación de usuarios en OpenID Connect de Keycloak, que podría autenticar incorrectamente las solicitudes. Un atacante autenticado que pudiera obtener información de una solicitud de usuario dentro del mismo entorno, podría utilizar esos datos para hacerse pasar por la víctima y generar nuevos tokens de sesión. • https://github.com/twwd/CVE-2023-0264 https://access.redhat.com/security/cve/CVE-2023-0264 https://bugzilla.redhat.com/show_bug.cgi?id=2160585 • CWE-287: Improper Authentication CWE-303: Incorrect Implementation of Authentication Algorithm •
CVE-2023-35900 – IBM Robotic Process Automation information disclosure
https://notcve.org/view.php?id=CVE-2023-35900
IBM Robotic Process Automation for Cloud Pak 21.0.0 through 21.0.7.4 and 23.0.0 through 23.0.5 is vulnerable to disclosing server version information which may be used to determine software vulnerabilities at the operating system level. IBM X-Force ID: 259368. • https://exchange.xforce.ibmcloud.com/vulnerabilities/259368 https://www.ibm.com/support/pages/node/7010895 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •