Filtered by vendor Redhat Subscriptions
Filtered by product Red Hat Single Sign On Subscriptions
Total 201 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2017-12160 1 Redhat 3 Jboss Single Sign On, Keycloak, Red Hat Single Sign On 2024-09-16 7.2 High
It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.
CVE-2023-6544 1 Redhat 3 Build Keycloak, Red Hat Single Sign On, Rhosemc 2024-09-16 5.4 Medium
A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.
CVE-2016-8629 1 Redhat 5 Enterprise Linux Server, Jboss Single Sign On, Keycloak and 2 more 2024-09-16 N/A
Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sent to the rest server. An attacker with service account authentication could use this flaw to bypass normal permissions and delete users in a separate realm.
CVE-2023-6484 1 Redhat 3 Build Keycloak, Red Hat Single Sign On, Rhosemc 2024-09-16 5.3 Medium
A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.
CVE-2023-6927 1 Redhat 5 Build Keycloak, Keycloak, Red Hat Single Sign On and 2 more 2024-09-16 4.6 Medium
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.
CVE-2022-41854 3 Fedoraproject, Redhat, Snakeyaml Project 13 Fedora, Amq Clients, Camel Spring Boot and 10 more 2024-09-16 5.8 Medium
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
CVE-2023-6134 1 Redhat 9 Build Keycloak, Enterprise Linux, Keycloak and 6 more 2024-09-16 4.6 Medium
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
CVE-2023-44483 2 Apache, Redhat 6 Santuario Xml Security For Java, Apache Camel Spring Boot, Camel Quarkus and 3 more 2024-09-12 6.5 Medium
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
CVE-2023-44487 32 Akka, Amazon, Apache and 29 more 364 Http Server, Opensearch Data Prepper, Apisix and 361 more 2024-08-19 7.5 High
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2014-9970 2 Jasypt Project, Redhat 8 Jasypt, Enterprise Linux, Jboss Bpms and 5 more 2024-08-06 N/A
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
CVE-2016-9589 1 Redhat 4 Jboss Enterprise Application Platform, Jboss Single Sign On, Jboss Wildfly Application Server and 1 more 2024-08-06 N/A
Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to "max-headers" (default 200) * "max-header-size" (default 1MB) per active TCP connection.
CVE-2017-12197 3 Debian, Libpam4j Project, Redhat 5 Debian Linux, Libpam4j, Enterprise Linux and 2 more 2024-08-05 N/A
It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.
CVE-2018-14655 1 Redhat 5 Jboss Single Sign On, Keycloak, Linux and 2 more 2024-08-05 N/A
A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.
CVE-2018-14658 1 Redhat 3 Jboss Single Sign On, Keycloak, Red Hat Single Sign On 2024-08-05 N/A
A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.protocol.oidc.utils.RedirectUtils before the redirect url is verified. This can lead to an Open Redirection attack
CVE-2018-14657 1 Redhat 5 Jboss Single Sign On, Keycloak, Linux and 2 more 2024-08-05 8.1 High
A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.
CVE-2018-14637 1 Redhat 3 Jboss Single Sign On, Keycloak, Red Hat Single Sign On 2024-08-05 N/A
The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.
CVE-2018-14040 3 Debian, Getbootstrap, Redhat 6 Debian Linux, Bootstrap, Enterprise Linux and 3 more 2024-08-05 N/A
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
CVE-2018-14042 2 Getbootstrap, Redhat 6 Bootstrap, Enterprise Linux, Jboss Enterprise Application Platform and 3 more 2024-08-05 N/A
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
CVE-2018-10894 1 Redhat 6 Enterprise Linux, Jboss Single Sign On, Keycloak and 3 more 2024-08-05 N/A
It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.
CVE-2019-14832 1 Redhat 4 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 1 more 2024-08-05 7.5 High
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.