Red Hat Single Sign On

A flaw was found in the redirect_uri validation logic in Keycloak

CVE-2023-6291 7.1 - High - January 26, 2024

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

Open Redirect

Keycloak's device authorization grant does not correctly validate the device code and client ID

CVE-2023-2585 8.1 - High - December 21, 2023

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access to an existing OAuth client.

A flaw was found in Keycloak

CVE-2023-6927 6.1 - Medium - December 18, 2023

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.

Open Redirect

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such

CVE-2023-48795 5.9 - Medium - December 18, 2023

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Improper Validation of Integrity Check Value

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token

CVE-2023-6134 5.4 - Medium - December 14, 2023

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

XSS

An unconstrained memory consumption vulnerability was discovered in Keycloak

CVE-2023-6563 7.7 - High - December 14, 2023

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

Allocation of Resources Without Limits or Throttling

A flaw was found in Undertow

CVE-2023-5379 7.5 - High - December 12, 2023

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).

Allocation of Resources Without Limits or Throttling

The HTTP/2 protocol

CVE-2023-44487 7.5 - High - October 10, 2023

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Resource Exhaustion

A flaw was found in undertow

CVE-2023-3223 7.5 - High - September 27, 2023

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

A flaw was found in Red Hat Single Sign-On for OpenShift container images

CVE-2022-4039 9.8 - Critical - September 22, 2023

A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.

Incorrect Default Permissions

A flaw was found in the offline_access scope in Keycloak

CVE-2022-3916 6.8 - Medium - September 20, 2023

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.

Insufficient Session Expiration

A flaw was found in undertow

CVE-2023-1108 7.5 - High - September 14, 2023

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

Infinite Loop

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests

CVE-2023-0264 5 - Medium - August 04, 2023

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.

authentification

Keycloak

CVE-2022-4361 6.1 - Medium - July 07, 2023

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.

XSS

A flaw was found in Keycloak

CVE-2023-1664 6.5 - Medium - May 26, 2023

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.

Improper Certificate Validation

A flaw was found in Keycloak in the execute-actions-email endpoint

CVE-2022-1274 5.4 - Medium - March 29, 2023

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

XSS

A flaw was found in the Keycloak Node.js Adapter

CVE-2022-2237 6.1 - Medium - March 27, 2023

A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.

Open Redirect

The undertow client is not checking the server identity presented by the server certificate in https connections

CVE-2022-4492 7.5 - High - February 23, 2023

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

A flaw was found in WildFly, where an attacker

CVE-2022-1278 7.5 - High - September 13, 2022

A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.

Insecure Default Initialization of Resource

A flaw was found in Undertow

CVE-2022-2764 4.9 - Medium - September 01, 2022

A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.

A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7

CVE-2022-2256 3.8 - Low - September 01, 2022

A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.

XSS

A flaw was found in Undertow

CVE-2022-1319 7.5 - High - August 31, 2022

A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.

Unchecked Return Value

A flaw was found in Undertow

CVE-2022-1259 7.5 - High - August 31, 2022

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.

Resource Exhaustion

A flaw was found in Keycloak

CVE-2022-0225 5.4 - Medium - August 26, 2022

A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.

XSS

A flaw was found in XNIO, specifically in the notifyReadClosed method

CVE-2022-0084 7.5 - High - August 26, 2022

A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.

Allocation of Resources Without Limits or Throttling

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user

CVE-2021-3754 5.3 - Medium - August 26, 2022

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2

CVE-2021-3859 7.5 - High - August 26, 2022

A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.

Invocation of Process Using Visible Sensitive Information

A flaw was found in Keycloak

CVE-2021-3632 7.5 - High - August 26, 2022

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

authentification

A flaw was found in Undertow

CVE-2021-3690 7.5 - High - August 23, 2022

A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.

Memory Leak

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed

CVE-2021-3827 6.8 - Medium - August 23, 2022

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.

authentification

An issue was discovered in Keycloak

CVE-2022-2668 7.2 - High - August 05, 2022

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

A flaw was found in undertow

CVE-2021-3597 5.9 - Medium - May 24, 2022

A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.

Race Condition

A flaw was found in Undertow

CVE-2021-3629 5.9 - Medium - May 24, 2022

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.

Resource Exhaustion

A flaw was found in Wildfly

CVE-2021-3717 7.8 - High - May 24, 2022

A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0.

Files or Directories Accessible to External Parties

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform

CVE-2022-1466 6.5 - Medium - April 26, 2022

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

AuthZ

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes

CVE-2021-3461 7.1 - High - April 01, 2022

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].

Insufficient Session Expiration

A flaw was found in JBoss-client

CVE-2022-0853 7.5 - High - March 11, 2022

A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability.

Memory Leak

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration

CVE-2021-4104 7.5 - High - December 14, 2021

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Marshaling, Unmarshaling

A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly

CVE-2021-3637 7.5 - High - July 09, 2021

A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.

Allocation of Resources Without Limits or Throttling

A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible

CVE-2021-3424 5.3 - Medium - June 01, 2021

A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API

CVE-2020-27826 4.2 - Medium - May 28, 2021

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.

Execution with Unnecessary Privileges

An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container

CVE-2020-10695 7.8 - High - May 26, 2021

An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container. An attacker with access to the container can use this flaw to modify the /etc/passwd and escalate their privileges.

Incorrect Privilege Assignment

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password

CVE-2021-20262 6.8 - Medium - March 09, 2021

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a users browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Missing Authentication for Critical Function

A flaw was found in keycloak in versions prior to 13.0.0

CVE-2020-27838 6.5 - Medium - March 08, 2021

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.

authentification

A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection

CVE-2020-10734 3.3 - Low - February 11, 2021

A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.

Session Riding

A flaw was found in Keycloak 7.0.1

CVE-2020-1717 2.7 - Low - February 11, 2021

A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.

Generation of Error Message Containing Sensitive Information

The "Test Connection" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user's choosing, and originating

CVE-2020-14341 2.7 - Low - January 12, 2021

The "Test Connection" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user's choosing, and originating from the RHSSO installation. By observing differences in the timings of these scans, an attacker may glean information about hosts and ports which they do not have access to scan directly.

Covert Timing Channel

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections

CVE-2020-25689 6.5 - Medium - November 02, 2020

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.

Memory Leak

A flaw was found in JBoss EAP

CVE-2020-14299 6.5 - Medium - October 16, 2020

A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability.

authentification

A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session

CVE-2020-25644 7.5 - High - October 06, 2020

A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.

Memory Leak

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final

CVE-2020-10687 4.8 - Medium - September 23, 2020

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS attack, or obtain sensitive information from request other than their own.

HTTP Request Smuggling

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances

CVE-2020-10748 6.1 - Medium - September 16, 2020

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

XSS

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value

CVE-2020-10758 7.5 - High - September 16, 2020

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

Allocation of Resources Without Limits or Throttling

The issue appears to be

CVE-2020-1710 5.3 - Medium - September 16, 2020

The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.

A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and

CVE-2020-14297 6.5 - Medium - July 24, 2020

A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable.

Resource Exhaustion

A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed

CVE-2020-14307 6.5 - Medium - July 24, 2020

A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable.

Improper Resource Shutdown or Release

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1

CVE-2019-14900 6.5 - Medium - July 06, 2020

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

SQL Injection

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes

CVE-2020-10719 6.5 - Medium - May 26, 2020

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.

HTTP Request Smuggling

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks

CVE-2020-1714 8.8 - High - May 13, 2020

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.

Improper Input Validation

A flaw was found in Keycloak in versions before 9.0.2

CVE-2020-1724 4.3 - Medium - May 11, 2020

A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

Insufficient Session Expiration

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon

CVE-2020-1757 8.1 - High - April 21, 2020

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

Improper Input Validation

A flaw was found when an OpenSSL security provider is used with Wildfly

CVE-2019-14887 9.1 - Critical - March 16, 2020

A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.

It was found in all keycloak versions before 9.0.0

CVE-2020-1697 5.4 - Medium - February 10, 2020

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.

XSS

A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA

CVE-2019-14885 4.3 - Medium - January 23, 2020

A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information.

Insertion of Sensitive Information into Log File

A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS

CVE-2019-14888 7.5 - High - January 23, 2020

A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked

CVE-2019-14820 4.3 - Medium - January 08, 2020

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.

A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester

CVE-2019-14843 8.8 - High - January 07, 2020

A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue.

AuthZ

A flaw was found in keycloack before version 8.0.0

CVE-2019-14837 9.1 - Critical - January 07, 2020

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.

Use of Hard-coded Credentials

A vulnerability was found in Infinispan such

CVE-2019-10174 8.8 - High - November 25, 2019

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

Reflection Injection

A vulnerability was found in Hibernate-Validator

CVE-2019-10219 6.1 - Medium - November 08, 2019

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

XSS

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security

CVE-2019-10212 9.8 - Critical - October 02, 2019

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

Insertion of Sensitive Information into Log File

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures

CVE-2019-10201 8.1 - High - August 14, 2019

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information.

authentification

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service

CVE-2019-9514 7.5 - High - August 13, 2019

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Allocation of Resources Without Limits or Throttling

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service

CVE-2019-9515 7.5 - High - August 13, 2019

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Allocation of Resources Without Limits or Throttling

undertow before version 2.0.23.Final is vulnerable to an information leak issue

CVE-2019-10184 7.5 - High - July 25, 2019

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

AuthZ

It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x

CVE-2019-3872 5.4 - Medium - June 12, 2019

It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks.

XSS

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received

CVE-2019-10157 5.5 - Medium - June 12, 2019

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely.

authentification

A vulnerability was found in keycloak before 6.0.2

CVE-2019-3875 4.8 - Medium - June 12, 2019

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate signatures on CRL, which can result in a possibility of various attacks like man-in-the-middle.

Improper Certificate Validation

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2

CVE-2019-3873 9 - Critical - June 12, 2019

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.

XSS

A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA

CVE-2018-10934 5.4 - Medium - March 27, 2019

A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users.

XSS

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6

CVE-2018-12023 7.5 - High - March 21, 2019

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Marshaling, Unmarshaling

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6

CVE-2018-12022 7.5 - High - March 21, 2019

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Marshaling, Unmarshaling

A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final

CVE-2018-14657 8.1 - High - November 13, 2018

A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.

Improper Restriction of Excessive Authentication Attempts

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final

CVE-2018-14655 5.4 - Medium - November 13, 2018

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

XSS

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement

CVE-2018-10912 4.9 - Medium - July 23, 2018

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.

Infinite Loop