Total
97 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10758 | 1 Redhat | 3 Keycloak, Openshift Application Runtimes, Single Sign-on | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. | |||||
| CVE-2020-1724 | 1 Redhat | 3 Keycloak, Openshift Application Runtimes, Single Sign-on | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. | |||||
| CVE-2020-14307 | 1 Redhat | 5 Amq, Jboss Enterprise Application Platform Continuous Delivery, Jboss Fuse and 2 more | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable. | |||||
| CVE-2020-1714 | 2 Quarkus, Redhat | 7 Quarkus, Decision Manager, Jboss Fuse and 4 more | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. | |||||
| CVE-2020-1757 | 1 Redhat | 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Fuse and 3 more | 2024-02-28 | 5.5 MEDIUM | 8.1 HIGH |
| A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass. | |||||
| CVE-2019-14887 | 1 Redhat | 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Fuse and 3 more | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. | |||||
| CVE-2020-14297 | 1 Redhat | 6 Amq, Jboss-ejb-client, Jboss Enterprise Application Platform Continuous Delivery and 3 more | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable. | |||||
| CVE-2019-14900 | 3 Hibernate, Quarkus, Redhat | 11 Hibernate Orm, Quarkus, Build Of Quarkus and 8 more | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. | |||||
| CVE-2020-1710 | 1 Redhat | 4 Jboss Data Grid, Jboss Enterprise Application Platform, Openshift Application Runtimes and 1 more | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400. | |||||
| CVE-2020-10719 | 2 Netapp, Redhat | 9 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 6 more | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
| A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling. | |||||
| CVE-2020-10748 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks. | |||||
| CVE-2019-10212 | 2 Netapp, Redhat | 8 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 5 more | 2024-02-28 | 4.3 MEDIUM | 9.8 CRITICAL |
| A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. | |||||
| CVE-2019-10174 | 3 Infinispan, Netapp, Redhat | 8 Infinispan, Active Iq Unified Manager, Enterprise Linux and 5 more | 2024-02-28 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. | |||||
| CVE-2019-14837 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-02-28 | 6.4 MEDIUM | 9.1 CRITICAL |
| A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. | |||||
| CVE-2019-14820 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Fuse, Keycloak and 1 more | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. | |||||
| CVE-2019-10219 | 3 Netapp, Oracle, Redhat | 195 Active Iq Unified Manager, Element, Management Services For Element Software And Netapp Hci and 192 more | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. | |||||
| CVE-2019-14888 | 2 Netapp, Redhat | 6 Active Iq Unified Manager, Jboss Data Grid, Jboss Enterprise Application Platform and 3 more | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. | |||||
| CVE-2019-14838 | 1 Redhat | 5 Data Grid, Enterprise Linux, Jboss Enterprise Application Platform and 2 more | 2024-02-28 | 4.0 MEDIUM | 4.9 MEDIUM |
| A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server | |||||
| CVE-2019-14885 | 1 Redhat | 2 Jboss Enterprise Application Platform, Single Sign-on | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information. | |||||
| CVE-2020-1697 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
| It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. | |||||