CVSS: 7.4EPSS: 2%CPEs: 7EXPL: 3CVE-2021-3563
https://notcve.org/view.php?id=CVE-2021-3563
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo en openstack-keystone. Sólo son verificados los primeros 72 caracteres del secreto de una aplicación, lo que permite a atacantes omitir determinada complejidad de las contraseñas con la que pueden contar los administradores. • https://access.redhat.com/security/cve/CVE-2021-3563 https://bugs.launchpad.net/ossa/+bug/1901891 https://bugzilla.redhat.com/show_bug.cgi?id=1962908 https://lists.debian.org/debian-lts-announce/2024/01/msg00007.html https://security-tracker.debian.org/tracker/CVE-2021-3563 • CWE-863: Incorrect Authorization •
CVSS: 4.8EPSS: 0%CPEs: 11EXPL: 0CVE-2021-3688 – JBCS: URL normalization issue with dot-dot-semicolon(s) leads to information disclosure
https://notcve.org/view.php?id=CVE-2021-3688
A flaw was found in Red Hat JBoss Core Services HTTP Server in all versions, where it does not properly normalize the path component of a request URL contains dot-dot-semicolon(s). This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo en el Servidor HTTP de Red Hat JBoss Core Services en todas las versiones, en el que no normaliza apropiadamente el componente de la ruta de una URL de petición que contenga punto y coma. Este fallo podría permitir a un atacante acceder a información no autorizada o posiblemente conducir otros ataques. • https://access.redhat.com/security/cve/CVE-2021-3688 https://bugzilla.redhat.com/show_bug.cgi?id=1990252 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-3754
https://notcve.org/view.php?id=CVE-2021-3754
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. Se ha encontrado un fallo en keycloak por el que un atacante puede registrarse con el mismo nombre de usuario que el ID de correo electrónico de cualquier usuario existente. Esto puede causar problemas a la hora de recibir el correo electrónico de recuperación de la contraseña en caso de que el usuario la olvide. • https://github.com/7Ragnarok7/CVE-2021-3754 https://access.redhat.com/security/cve/CVE-2021-3754 https://bugzilla.redhat.com/show_bug.cgi?id=1999196 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3856
https://notcve.org/view.php?id=CVE-2021-3856
ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. ClassLoaderTheme y ClasspathThemeResourceProviderFactory permiten leer cualquier archivo disponible como recurso para el cargador de clases. Al enviar peticiones de recursos de temas con una ruta relativa desde un cliente HTTP externo, el cliente recibirá el contenido de archivos aleatorios si están disponibles. • https://access.redhat.com/security/cve/CVE-2021-3856 https://bugzilla.redhat.com/show_bug.cgi?id=2010164 https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743 https://github.com/keycloak/keycloak/pull/8588 https://issues.redhat.com/browse/KEYCLOAK-19422 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 1CVE-2021-3864
https://notcve.org/view.php?id=CVE-2021-3864
A flaw was found in the way the dumpable flag setting was handled when certain SUID binaries executed its descendants. The prerequisite is a SUID binary that sets real UID equal to effective UID, and real GID equal to effective GID. The descendant will then have a dumpable value set to 1. As a result, if the descendant process crashes and core_pattern is set to a relative value, its core dump is stored in the current directory with uid:gid permissions. An unprivileged local user with eligible root SUID binary could use this flaw to place core dumps into root-owned directories, potentially resulting in escalation of privileges. • https://access.redhat.com/security/cve/CVE-2021-3864 https://bugzilla.redhat.com/show_bug.cgi?id=2015046 https://lore.kernel.org/all/20211221021744.864115-1-longman%40redhat.com https://lore.kernel.org/all/20211226150310.GA992%401wt.eu https://lore.kernel.org/lkml/20211228170910.623156-1-wander%40redhat.com https://security-tracker.debian.org/tracker/CVE-2021-3864 https://www.openwall.com/lists/oss-security/2021/10/20/2 • CWE-284: Improper Access Control •