Filtered by vendor Redhat
Subscriptions
Filtered by product Red Hat Single Sign On
Subscriptions
Total
211 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11831 | 1 Redhat | 35 Acm, Advanced Cluster Security, Ansible Automation Platform and 32 more | 2025-03-12 | 5.4 Medium |
| A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package. | ||||
| CVE-2023-6717 | 1 Redhat | 15 Amq Broker, Build Keycloak, Jboss Data Grid and 12 more | 2025-03-11 | 6 Medium |
| A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance. | ||||
| CVE-2025-0604 | 1 Redhat | 2 Build Keycloak, Red Hat Single Sign On | 2025-03-11 | 5.4 Medium |
| A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions. | ||||
| CVE-2023-44487 | 32 Akka, Amazon, Apache and 29 more | 364 Http Server, Opensearch Data Prepper, Apisix and 361 more | 2025-03-07 | 7.5 High |
| The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | ||||
| CVE-2024-1249 | 1 Redhat | 15 Amq Broker, Amq Streams, Build Keycloak and 12 more | 2025-03-06 | 7.4 High |
| A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. | ||||
| CVE-2024-1635 | 1 Redhat | 16 Amq Streams, Build Keycloak, Camel Quarkus and 13 more | 2025-03-06 | 7.5 High |
| A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. At HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak. | ||||
| CVE-2024-3653 | 1 Redhat | 17 Amq Streams, Build Keycloak, Camel Quarkus and 14 more | 2025-03-04 | 5.3 Medium |
| A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request. | ||||
| CVE-2025-23368 | 1 Redhat | 8 Build Keycloak, Integration, Jboss Data Grid and 5 more | 2025-03-04 | 8.1 High |
| A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. | ||||
| CVE-2024-6162 | 1 Redhat | 11 Apache Camel Spring Boot, Build Keycloak, Camel Spring Boot and 8 more | 2025-03-03 | 7.5 High |
| A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up. | ||||
| CVE-2024-10234 | 1 Redhat | 7 Build Keycloak, Build Of Keycloak, Jboss Data Grid and 4 more | 2025-03-03 | 6.1 Medium |
| A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. This flaw allows an attacker or insider to execute a deployment with a malicious payload, which could trigger undesired behavior against the server. | ||||
| CVE-2024-1132 | 1 Redhat | 13 Amq Broker, Build Keycloak, Jboss Data Grid and 10 more | 2025-03-03 | 8.1 High |
| A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL. | ||||
| CVE-2023-5685 | 1 Redhat | 12 Apache-camel-spring-boot, Build Keycloak, Camel Spring Boot and 9 more | 2025-03-03 | 7.5 High |
| A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS). | ||||
| CVE-2024-7885 | 1 Redhat | 19 Apache Camel Spring Boot, Build Keycloak, Build Of Apache Camel - Hawtio and 16 more | 2025-03-03 | 7.5 High |
| A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments. | ||||
| CVE-2024-5971 | 1 Redhat | 12 Apache Camel Spring Boot, Build Keycloak, Camel Spring Boot and 9 more | 2025-03-03 | 7.5 High |
| A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios. | ||||
| CVE-2024-10492 | 1 Redhat | 4 Build Keycloak, Jboss Enterprise Application Platform, Jbosseapxp and 1 more | 2025-02-27 | N/A |
| A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not. | ||||
| CVE-2024-4029 | 1 Redhat | 7 Build Keycloak, Jboss Data Grid, Jboss Enterprise Application Platform and 4 more | 2025-02-27 | 4.1 Medium |
| A vulnerability was found in Wildfly’s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections. | ||||
| CVE-2024-10270 | 1 Redhat | 4 Build Keycloak, Jboss Enterprise Application Platform, Jbosseapxp and 1 more | 2025-02-27 | 6.5 Medium |
| A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. | ||||
| CVE-2024-1102 | 1 Redhat | 6 Build Keycloak, Jboss Data Grid, Jboss Enterprise Application Platform and 3 more | 2025-02-27 | 6.5 Medium |
| A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection. | ||||
| CVE-2025-23367 | 1 Redhat | 7 Build Keycloak, Jboss Data Grid, Jboss Enterprise Application Platform and 4 more | 2025-02-27 | 6.5 Medium |
| A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. | ||||
| CVE-2021-46877 | 2 Fasterxml, Redhat | 13 Jackson-databind, Amq Streams, Camel Spring Boot and 10 more | 2025-02-26 | 7.5 High |
| jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization. | ||||