Filtered by vendor Redhat
Subscriptions
Filtered by product Single Sign-on
Subscriptions
Total
97 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-10894 | 1 Redhat | 6 Enterprise Linux, Jboss Single Sign On, Keycloak and 3 more | 2024-08-05 | N/A |
| It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. | ||||
| CVE-2019-14885 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jboss Single Sign On, Single Sign-on | 2024-08-05 | 4.3 Medium |
| A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information. | ||||
| CVE-2019-14887 | 1 Redhat | 8 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd and 5 more | 2024-08-05 | 9.1 Critical |
| A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. | ||||
| CVE-2019-14888 | 2 Netapp, Redhat | 10 Active Iq Unified Manager, Jboss Data Grid, Jboss Enterprise Application Platform and 7 more | 2024-08-05 | 7.5 High |
| A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. | ||||
| CVE-2019-14837 | 1 Redhat | 4 Jboss Single Sign On, Keycloak, Red Hat Single Sign On and 1 more | 2024-08-05 | 9.1 Critical |
| A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. | ||||
| CVE-2019-14820 | 1 Redhat | 7 Jboss Enterprise Application Platform, Jboss Fuse, Jboss Single Sign On and 4 more | 2024-08-05 | 4.3 Medium |
| It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. | ||||
| CVE-2019-14838 | 1 Redhat | 10 Data Grid, Enterprise Linux, Jboss Data Grid and 7 more | 2024-08-05 | 4.9 Medium |
| A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server | ||||
| CVE-2019-14900 | 3 Hibernate, Quarkus, Redhat | 17 Hibernate Orm, Quarkus, Build Of Quarkus and 14 more | 2024-08-05 | 6.5 Medium |
| A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. | ||||
| CVE-2019-14843 | 1 Redhat | 5 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus, Jboss Single Sign On and 2 more | 2024-08-05 | 8.8 High |
| A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue. | ||||
| CVE-2019-14379 | 7 Apple, Debian, Fasterxml and 4 more | 37 Xcode, Debian Linux, Jackson-databind and 34 more | 2024-08-05 | 9.8 Critical |
| SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. | ||||
| CVE-2019-10201 | 1 Redhat | 4 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 1 more | 2024-08-04 | 8.1 High |
| It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. | ||||
| CVE-2019-10219 | 3 Netapp, Oracle, Redhat | 199 Active Iq Unified Manager, Element, Management Services For Element Software And Netapp Hci and 196 more | 2024-08-04 | 6.1 Medium |
| A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. | ||||
| CVE-2019-10212 | 2 Netapp, Redhat | 9 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 6 more | 2024-08-04 | 9.8 Critical |
| A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. | ||||
| CVE-2019-10184 | 2 Netapp, Redhat | 10 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 7 more | 2024-08-04 | 7.5 High |
| undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. | ||||
| CVE-2019-10174 | 3 Infinispan, Netapp, Redhat | 12 Infinispan, Active Iq Unified Manager, Enterprise Linux and 9 more | 2024-08-04 | 8.8 High |
| A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. | ||||
| CVE-2019-10157 | 1 Redhat | 3 Jboss Single Sign On, Keycloak, Single Sign-on | 2024-08-04 | N/A |
| It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely. | ||||
| CVE-2019-9514 | 13 Apache, Apple, Canonical and 10 more | 44 Traffic Server, Mac Os X, Swiftnio and 41 more | 2024-08-04 | 7.5 High |
| Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. | ||||
| CVE-2019-9515 | 12 Apache, Apple, Canonical and 9 more | 36 Traffic Server, Mac Os X, Swiftnio and 33 more | 2024-08-04 | 7.5 High |
| Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. | ||||
| CVE-2019-3873 | 1 Redhat | 4 Enterprise Linux, Jboss Enterprise Application Platform, Jboss Single Sign On and 1 more | 2024-08-04 | N/A |
| It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks. | ||||
| CVE-2019-3872 | 1 Redhat | 4 Enterprise Linux, Jboss Enterprise Application Platform, Jboss Single Sign On and 1 more | 2024-08-04 | N/A |
| It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks. | ||||