Filtered by vendor Redhat
Subscriptions
Filtered by product Single Sign-on
Subscriptions
Total
97 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-3637 | 1 Redhat | 3 Keycloak, Red Hat Single Sign On, Single Sign-on | 2024-11-21 | 7.5 High |
| A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. | ||||
| CVE-2021-3632 | 1 Redhat | 4 Enterprise Linux, Keycloak, Red Hat Single Sign On and 1 more | 2024-11-21 | 7.5 High |
| A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. | ||||
| CVE-2021-3629 | 2 Netapp, Redhat | 14 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 11 more | 2024-11-21 | 5.9 Medium |
| A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. | ||||
| CVE-2021-3597 | 2 Netapp, Redhat | 12 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 9 more | 2024-11-21 | 5.9 Medium |
| A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final. | ||||
| CVE-2021-3461 | 1 Redhat | 3 Keycloak, Red Hat Single Sign On, Single Sign-on | 2024-11-21 | 7.1 High |
| A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. | ||||
| CVE-2021-3424 | 1 Redhat | 2 Red Hat Single Sign On, Single Sign-on | 2024-11-21 | 5.3 Medium |
| A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges. | ||||
| CVE-2021-20262 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | 6.8 Medium |
| A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. | ||||
| CVE-2020-27838 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-11-21 | 6.5 Medium |
| A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality. | ||||
| CVE-2020-27826 | 1 Redhat | 3 Keycloak, Red Hat Single Sign On, Single Sign-on | 2024-11-21 | 4.2 Medium |
| A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. | ||||
| CVE-2020-25689 | 2 Netapp, Redhat | 11 Active Iq Unified Manager, Oncommand Insight, Service Level Manager and 8 more | 2024-11-21 | 5.3 Medium |
| A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. | ||||
| CVE-2020-25644 | 2 Netapp, Redhat | 11 Oncommand Insight, Oncommand Workflow Automation, Service Level Manager and 8 more | 2024-11-21 | 7.5 High |
| A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability. | ||||
| CVE-2020-1757 | 1 Redhat | 8 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 5 more | 2024-11-21 | 8.1 High |
| A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass. | ||||
| CVE-2020-1724 | 1 Redhat | 5 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 2 more | 2024-11-21 | 4.3 Medium |
| A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. | ||||
| CVE-2020-1717 | 1 Redhat | 4 Jboss Fuse, Keycloak, Openshift Application Runtimes and 1 more | 2024-11-21 | 2.7 Low |
| A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. | ||||
| CVE-2020-1714 | 2 Quarkus, Redhat | 11 Quarkus, Decision Manager, Jboss Enterprise Application Platform and 8 more | 2024-11-21 | 8.8 High |
| A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. | ||||
| CVE-2020-1710 | 1 Redhat | 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 3 more | 2024-11-21 | 5.3 Medium |
| The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400. | ||||
| CVE-2020-1697 | 1 Redhat | 4 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 1 more | 2024-11-21 | 6.1 Medium |
| It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. | ||||
| CVE-2020-14341 | 1 Redhat | 1 Single Sign-on | 2024-11-21 | 2.7 Low |
| The "Test Connection" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user's choosing, and originating from the RHSSO installation. By observing differences in the timings of these scans, an attacker may glean information about hosts and ports which they do not have access to scan directly. | ||||
| CVE-2020-14307 | 1 Redhat | 8 A Mq Clients, Amq, Jboss Enterprise Application Platform and 5 more | 2024-11-21 | 6.5 Medium |
| A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable. | ||||
| CVE-2020-14299 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Single Sign On, Openshift Application Runtimes and 1 more | 2024-11-21 | 6.5 Medium |
| A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability. | ||||