CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-3827 – keycloak-server-spi-private: ECP SAML binding bypasses authentication flows
https://notcve.org/view.php?id=CVE-2021-3827
18 Jan 2022 — A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. Se ha encontrado un fallo en keycloak, en el que el flujo de vinculación ECP por defecto permite omitir otros flujos de autenticación. Al exp... • https://access.redhat.com/security/cve/CVE-2021-3827 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 76%CPEs: 72EXPL: 1CVE-2021-4104 – Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
https://notcve.org/view.php?id=CVE-2021-4104
14 Dec 2021 — JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in Au... • https://github.com/cckuailong/log4shell_1.x • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2021-3717 – wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users
https://notcve.org/view.php?id=CVE-2021-3717
16 Nov 2021 — A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0. Se ha encontrado un fallo en Wildfly. • https://bugzilla.redhat.com/show_bug.cgi?id=1991305 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.9EPSS: 0%CPEs: 18EXPL: 0CVE-2021-3629 – undertow: potential security issue in flow control over HTTP/2 may lead to DOS
https://notcve.org/view.php?id=CVE-2021-3629
16 Nov 2021 — A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. Se ha encontrado un fallo en Undertow. • https://bugzilla.redhat.com/show_bug.cgi?id=1977362 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.6EPSS: 0%CPEs: 6EXPL: 0CVE-2021-3632 – keycloak: Anyone can register a new device when there is no device registered for passwordless login
https://notcve.org/view.php?id=CVE-2021-3632
14 Sep 2021 — A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. Se ha encontrado un fallo en Keycloak. Esta vulnerabilidad permite a cualquiera registrar un nuevo dispositivo de seguridad o llave cuando no se presenta un dispositivo ya registrado para ningún usuario, al usar el flujo de inicio de sesión sin contraseña de WebAuthn. Red Hat Single Sign-On 7.4 is a ... • https://access.redhat.com/security/cve/CVE-2021-3632 • CWE-287: Improper Authentication •
CVSS: 5.9EPSS: 0%CPEs: 22EXPL: 0CVE-2021-3597 – undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS
https://notcve.org/view.php?id=CVE-2021-3597
08 Sep 2021 — A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final. Se ha encontrado un fallo en Undertow. • https://bugzilla.redhat.com/show_bug.cgi?id=1970930 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 1CVE-2021-3690 – undertow: buffer leak on incoming websocket PONG message may lead to DoS
https://notcve.org/view.php?id=CVE-2021-3690
19 Aug 2021 — A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability. Se ha encontrado un fallo en Undertow. • https://access.redhat.com/security/cve/CVE-2021-3690 • CWE-400: Uncontrolled Resource Consumption CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-3637 – keycloak-model-infinispan: authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly could lead to a DoS attack
https://notcve.org/view.php?id=CVE-2021-3637
09 Jul 2021 — A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. Se ha encontrado un fallo en keycloak-model-infinispan en keycloak versiones anteriores a 14.0.0, donde el mapa authenticationSessions en RootAuthenticationSessionEntity crece ilimitadamente, lo que podría conllevar a un ataque de DoS A flaw was found in keycloak-model-infinispan where the authenticationSessio... • https://bugzilla.redhat.com/show_bug.cgi?id=1979638 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3424 – keycloak: Internationalized domain name (IDN) homograph attack to impersonate users
https://notcve.org/view.php?id=CVE-2021-3424
20 May 2021 — A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges. Se ha encontrado un fallo en keycloak, tal y como es enviado en Red Hat Single Sign-On versión 7.4, en el que son posibles los ataques de homografía IDN. Un usuario malicioso puede registrarse con un nombre ya registrado y engañar al administrador para que le conceda privilegios adic... • https://bugzilla.redhat.com/show_bug.cgi?id=1933320 • CWE-287: Improper Authentication •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3461 – keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP
https://notcve.org/view.php?id=CVE-2021-3461
20 May 2021 — A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. Se ha encontrado un fallo en keycloak por el que keycloak puede fallar al cerrar la sesión del usuario si la petición de cierre de sesión proviene de un proveedor de identidad SAML externo y el tipo de principal está configurado como atributo [nombre] Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak... • https://bugzilla.redhat.com/show_bug.cgi?id=1941565 • CWE-613: Insufficient Session Expiration •