Filtered by vendor Redhat Subscriptions
Filtered by product Jboss Single Sign On Subscriptions
Total 140 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-8840 6 Debian, Fasterxml, Huawei and 3 more 19 Debian Linux, Jackson-databind, Oceanstor 9000 and 16 more 2024-08-04 9.8 Critical
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
CVE-2020-7226 3 Oracle, Redhat, Vt 7 Communications Services Gatekeeper, Webcenter Sites, Weblogic Server and 4 more 2024-08-04 7.5 High
CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.
CVE-2020-7238 4 Debian, Fedoraproject, Netty and 1 more 19 Debian Linux, Fedora, Netty and 16 more 2024-08-04 7.5 High
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
CVE-2020-6950 3 Eclipse, Oracle, Redhat 14 Mojarra, Banking Enterprise Default Management, Banking Platform and 11 more 2024-08-04 6.5 Medium
Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.
CVE-2020-1954 4 Apache, Netapp, Oracle and 1 more 15 Cxf, Oncommand Workflow Automation, Snapmanager and 12 more 2024-08-04 5.3 Medium
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.
CVE-2020-1728 2 Quarkus, Redhat 5 Quarkus, Jboss Single Sign On, Keycloak and 2 more 2024-08-04 4.8 Medium
A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
CVE-2020-1758 1 Redhat 4 Jboss Single Sign On, Keycloak, Openstack and 1 more 2024-08-04 5.3 Medium
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.
CVE-2020-1748 1 Redhat 9 Decision Manager, Jboss Data Grid, Jboss Enterprise Application Platform and 6 more 2024-08-04 7.5 High
A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.
CVE-2020-1724 1 Redhat 5 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 2 more 2024-08-04 4.3 Medium
A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.
CVE-2020-1757 1 Redhat 8 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 5 more 2024-08-04 8.1 High
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
CVE-2020-1744 1 Redhat 4 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 1 more 2024-08-04 5.6 Medium
A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events.
CVE-2020-1745 1 Redhat 8 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd and 5 more 2024-08-04 8.6 High
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
CVE-2020-1714 2 Quarkus, Redhat 11 Quarkus, Decision Manager, Jboss Enterprise Application Platform and 8 more 2024-08-04 8.8 High
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
CVE-2020-1697 1 Redhat 4 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 1 more 2024-08-04 6.1 Medium
It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.
CVE-2020-1719 1 Redhat 7 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd and 4 more 2024-08-04 5.4 Medium
A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected.
CVE-2020-1718 1 Redhat 7 Jboss Enterprise Bpms Platform, Jboss Enterprise Brms Platform, Jboss Fuse and 4 more 2024-08-04 7.1 High
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.
CVE-2020-1710 1 Redhat 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 3 more 2024-08-04 5.3 Medium
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
CVE-2020-1694 1 Redhat 2 Jboss Single Sign On, Keycloak 2024-08-04 4.9 Medium
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
CVE-2020-1695 2 Fedoraproject, Redhat 9 Fedora, Enterprise Linux, Jboss Data Grid and 6 more 2024-08-04 7.5 High
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
CVE-2017-16012 1 Redhat 2 Jboss Fuse, Jboss Single Sign On 2023-11-07 N/A
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-9251. Reason: This candidate is a duplicate of CVE-2015-9251. Notes: All CVE users should reference CVE-2015-9251 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage