Red Hat Jboss Enterprise Application Platform

A flaw was found in Undertow
CVE-2024-4027 7.5 - High - January 30, 2026

A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack.

Improper Input Validation

A flaw was found in Keycloak's SAML brokering functionality
CVE-2026-1190 3.1 - Low - January 26, 2026

A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption.

Missing XML Validation

A flaw was found in Hibernate Reactive
CVE-2025-14969 4.3 - Medium - January 26, 2026

A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections.

Missing Release of Resource after Effective Lifetime

A flaw was found in Hibernate
CVE-2026-0603 8.3 - High - January 23, 2026

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

SQL Injection

A flaw was found in the Keycloak server during refresh token processing
CVE-2026-1035 3.1 - Low - January 21, 2026

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloaks refresh token rotation hardening can be undermined.

TOCTTOU

A flaw was identified in Keycloaks OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt
CVE-2026-1180 5.8 - Medium - January 20, 2026

A flaw was identified in Keycloaks OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.

SSRF

A flaw was found in Keycloak
CVE-2026-0976 3.7 - Low - January 15, 2026

A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.

Improper Input Validation

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications
CVE-2025-12543 9.6 - Critical - January 07, 2026

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

Improper Input Validation

Undertow OOM DoS via Large application/x-www-form-urlencoded
CVE-2024-3884 7.5 - High - December 03, 2025

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.

Improper Input Validation

Undertow DoS via MadeYouReset Server-Reset Abuse
CVE-2025-9784 7.5 - High - September 02, 2025

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

Allocation of Resources Without Limits or Throttling

Keycloak FGAPv2 Priv Escalation via Manage-Users Role
CVE-2025-7784 6.5 - Medium - July 18, 2025

A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm.

Improper Privilege Management

Infinispan CLI: Base64 K8s Secret Password Exposure via Error Msg
CVE-2025-5731 5.5 - Medium - June 26, 2025

A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found.

Generation of Error Message Containing Sensitive Information

WildFly/JBoss EAP RCE via Untrusted EJB Marshalling Deserialization
CVE-2025-2251 6.2 - Medium - April 07, 2025

A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication.

Marshaling, Unmarshaling

Smallrye Fault Tolerance OOM DoS via /metrics URI
CVE-2025-2240 7.5 - High - March 12, 2025

A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue.

Stack Exhaustion

Wildfly Elytron CLI Brute Force Vulnerability
CVE-2025-23368 8.1 - High - March 04, 2025

A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.

Improper Restriction of Excessive Authentication Attempts

serialize-javascript XSS via unsanitized regex input
CVE-2024-11831 5.4 - Medium - February 10, 2025

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

XSS

Wildfly RBAC flaw enables unauthorized suspend/resume of server
CVE-2025-23367 6.5 - Medium - January 30, 2025

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

Authorization

Wildfly HAL Console XSS via flawed input neutralization by auth user
CVE-2025-23366 6.5 - Medium - January 14, 2025

A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups SuperUser, Admin, or Maintainer.

XSS

Keycloak URL Placeholder Abuse Exposes Server Env Vars
CVE-2024-11736 4.9 - Medium - January 14, 2025

A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or ${PROPNAME}. The server replaces these placeholders with the actual values of environment variables or system properties during URL processing.

Exposure of Sensitive Information Through Environmental Variables

Keycloak Denial of Service via Header Manipulation by Admin
CVE-2024-11734 6.5 - Medium - January 14, 2025

A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a request that has already been terminated, leading to the failure of said request.

Protection Mechanism Failure

Narayana LRA Coor DoS via Concurrent Cancel/Join
CVE-2024-8447 5.9 - Medium - January 02, 2025

A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.

Deadlock

Keycloak: Sensitive Information Disclosure in JGroups Replication Configuration
CVE-2024-10973 5.7 - Medium - December 17, 2024

A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

Cleartext Transmission of Sensitive Information

Quarkus-HTTP Cookie Parsing Vulnerability
CVE-2024-12397 7.4 - High - December 12, 2024

A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity.

HTTP Request Smuggling

OIDC-Client Authorization Code Injection Vulnerability
CVE-2024-12369 4.2 - Medium - December 09, 2024

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

Insufficient Verification of Data Authenticity

Keycloak Server: Denial of Service via Improper Proxy Header Validation
CVE-2024-9666 4.7 - Medium - November 25, 2024

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without proper validation. This issue can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service. The attacker must have access to send requests to a Keycloak instance that is configured to accept proxy headers, specifically when reverse proxies do not overwrite incoming headers, and Keycloak is configured to trust these headers.

HTTP Request Smuggling

Keycloak Information Disclosure Vulnerability in Build Process
CVE-2024-10451 5.9 - Medium - November 25, 2024

A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

Use of Hard-coded Credentials

Keycloak Privilege Escalation via Vault File Access
CVE-2024-10492 - November 25, 2024

A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

External Control of File Name or Path

Keycloak-services: Denial of Service via Regex Complexity in SearchQueryUtils
CVE-2024-10270 6.5 - Medium - November 25, 2024

A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

ReDoS

Hibernate-Validator SafeHtmlValidator XSS Bypass
CVE-2023-1932 - November 07, 2024

A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

XSS in WildFly Deployment System Enables RCE
CVE-2024-10234 6.1 - Medium - October 22, 2024

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. This flaw allows an attacker or insider to execute a deployment with a malicious payload, which could trigger undesired behavior against the server.

XSS

Keycloak REST API Privilege Escalation (CVE-2024-3656)
CVE-2024-3656 8.1 - High - October 09, 2024

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.

Information Disclosure

Resteasynetty4 HTTP Smuggling causes request loss (CVE20249622)
CVE-2024-9622 5.3 - Medium - October 08, 2024

A vulnerability was found in the resteasy-netty4 library arising from improper handling of HTTP requests using smuggling techniques. When an HTTP smuggling request with an ASCII control character is sent, it causes the Netty HttpObjectDecoder to transition into a BAD_MESSAGE state. As a result, any subsequent legitimate requests on the same connection are ignored, leading to client timeouts, which may impact systems using load balancers and expose them to risk.

HTTP Request Smuggling

Keycloak XMLSignatureUtil flaw: SAML sig validation bypass for privilege escalation
CVE-2024-8698 7.7 - High - September 19, 2024

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.

Improper Verification of Cryptographic Signature

Keycloak Redirect URI: http://localhost Misconfig allows session hijack
CVE-2024-8883 6.1 - Medium - September 19, 2024

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.

Open Redirect

Keycloak SAML adapters: session fixation via stale JSESSIONID cookie
CVE-2024-7341 7.1 - High - September 09, 2024

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation.

Session Fixation

Keycloak Login Timing Bypass Allows Exceeding Brute Force Limits
CVE-2024-4629 6.5 - Medium - September 03, 2024

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.

Improper Enforcement of a Single, Unique Action

Undertow ProxyProtocolReadListener StringBuilder reuse info-leak
CVE-2024-7885 7.5 - High - August 21, 2024

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments.

Race Condition

Undertow MaxAge Default -1 Exposes HTTP Learning-Push handler
CVE-2024-3653 5.3 - Medium - July 08, 2024

A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request.

Memory Leak

Undertow Chunked DoS: Missing 0\r\n Termination in Java 17 TLSv1.3
CVE-2024-5971 7.5 - High - July 08, 2024

A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.

Stack Exhaustion

Undertow AJP Path Decoding Race Cond. DOS
CVE-2024-6162 7.5 - High - June 20, 2024

A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up.

Resource Exhaustion

Wildfly Mgt Intf DoS via Unbounded Socket Connections
CVE-2024-4029 4.1 - Medium - May 02, 2024

A vulnerability was found in Wildflys management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections.

Allocation of Resources Without Limits or Throttling

JBeret Core: DB credentials exposed via dbProperties logging
CVE-2024-1102 6.5 - Medium - April 25, 2024

A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection.

Unprotected Transport of Credentials

Quarkus JAX-RS Auth Bypass via Abstract Class Methods
CVE-2023-5675 6.5 - Medium - April 25, 2024

A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either 'quarkus.security.jaxrs.deny-unannotated-endpoints' or 'quarkus.security.jaxrs.default-roles-allowed' properties.

AuthZ

Keycloak XSS via Malicious ACS URLs (CVE-2023-6717)
CVE-2023-6717 6 - Medium - April 25, 2024

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

XSS

Keycloak Redirect URI Validation Bypass via Wildcard URIs
CVE-2024-1132 8.1 - High - April 17, 2024

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.

Directory traversal

Keycloak OIDC checkLoginIframe DoS via unvalidated cross-origin messages
CVE-2024-1249 7.4 - High - April 17, 2024

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.

Origin Validation Error

Red Hat EAP8 OIDC Token Cache Misuse (CVE-2023-6236)
CVE-2023-6236 7.3 - High - April 10, 2024

A flaw was found in Red Hat Enterprise Application Platform 8. When an OIDC app that serves multiple tenants attempts to access the second tenant, it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying issue is in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option. EAP-7 does not provide the vulnerable provider-url configuration option in its OIDC implementation and is not affected by this flaw.

Insufficient Verification of Data Authenticity

JBoss EAP SSRF via JwtValidator.resolvePublicKey jku
CVE-2024-1233 7.3 - High - April 09, 2024

A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.

SSRF

Memory Leak in Eclipse Vert.x TCP TLS Server via Fake SNI
CVE-2024-1300 5.4 - Medium - April 02, 2024

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

Memory Leak

XZ Utils Malicious Code Linux Backdoor Attempt
CVE-2024-3094 10 - Critical - March 29, 2024

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Embedded Malicious Code