Filtered by vendor Redhat
Subscriptions
Filtered by product Jboss Single Sign On
Subscriptions
Total
140 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-14307 | 1 Redhat | 8 A Mq Clients, Amq, Jboss Enterprise Application Platform and 5 more | 2024-08-04 | 6.5 Medium |
A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable. | ||||
CVE-2020-11612 | 6 Debian, Fedoraproject, Netapp and 3 more | 26 Debian Linux, Fedora, Oncommand Api Services and 23 more | 2024-08-04 | 7.5 High |
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder. | ||||
CVE-2020-11022 | 9 Debian, Drupal, Fedoraproject and 6 more | 88 Debian Linux, Drupal, Fedora and 85 more | 2024-08-04 | 6.9 Medium |
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | ||||
CVE-2020-11023 | 8 Debian, Drupal, Fedoraproject and 5 more | 65 Debian Linux, Drupal, Fedora and 62 more | 2024-08-04 | 6.9 Medium |
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. | ||||
CVE-2020-10969 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 38 more | 2024-08-04 | 8.8 High |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | ||||
CVE-2020-10776 | 1 Redhat | 3 Jboss Single Sign On, Keycloak, Red Hat Single Sign On | 2024-08-04 | 4.8 Medium |
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. | ||||
CVE-2020-10758 | 1 Redhat | 5 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 2 more | 2024-08-04 | 7.5 High |
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. | ||||
CVE-2020-10740 | 1 Redhat | 6 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd, Jboss Fuse and 3 more | 2024-08-04 | 6.6 Medium |
A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly. | ||||
CVE-2020-10748 | 1 Redhat | 3 Jboss Single Sign On, Keycloak, Single Sign-on | 2024-08-04 | 6.1 Medium |
A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks. | ||||
CVE-2020-10719 | 2 Netapp, Redhat | 12 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 9 more | 2024-08-04 | 6.5 Medium |
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling. | ||||
CVE-2020-10718 | 1 Redhat | 5 Jboss Enterprise Application Platform, Jboss Fuse, Jboss Single Sign On and 2 more | 2024-08-04 | 7.5 High |
A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality. | ||||
CVE-2020-10714 | 2 Netapp, Redhat | 13 Oncommand Insight, Codeready Studio, Descision Manager and 10 more | 2024-08-04 | 7.5 High |
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||||
CVE-2020-10693 | 4 Ibm, Oracle, Quarkus and 1 more | 13 Websphere Application Server, Weblogic Server, Quarkus and 10 more | 2024-08-04 | 5.3 Medium |
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. | ||||
CVE-2020-10683 | 6 Canonical, Dom4j Project, Netapp and 3 more | 44 Ubuntu Linux, Dom4j, Oncommand Api Services and 41 more | 2024-08-04 | 9.8 Critical |
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. | ||||
CVE-2020-10672 | 5 Debian, Fasterxml, Netapp and 2 more | 40 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 37 more | 2024-08-04 | 8.8 High |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). | ||||
CVE-2020-10687 | 1 Redhat | 6 Enterprise Linux, Jboss Enterprise Application Platform, Jboss Fuse and 3 more | 2024-08-04 | 4.8 Medium |
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own. | ||||
CVE-2020-10673 | 5 Debian, Fasterxml, Netapp and 2 more | 40 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 37 more | 2024-08-04 | 8.8 High |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | ||||
CVE-2020-9547 | 5 Debian, Fasterxml, Netapp and 2 more | 27 Debian Linux, Jackson-databind, Active Iq Unified Manager and 24 more | 2024-08-04 | 9.8 Critical |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). | ||||
CVE-2020-9546 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Active Iq Unified Manager and 38 more | 2024-08-04 | 9.8 Critical |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | ||||
CVE-2020-9548 | 5 Debian, Fasterxml, Netapp and 2 more | 35 Debian Linux, Jackson-databind, Active Iq Unified Manager and 32 more | 2024-08-04 | 9.8 Critical |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). |