Total
32 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2019-14887 | 1 Redhat | 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Fuse and 3 more | 2021-11-02 | 6.4 MEDIUM | 9.1 CRITICAL |
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. | |||||
CVE-2021-3642 | 2 Quarkus, Redhat | 13 Quarkus, Build Of Quarkus, Codeready Studio and 10 more | 2021-10-20 | 3.5 LOW | 5.3 MEDIUM |
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. | |||||
CVE-2020-1714 | 2 Quarkus, Redhat | 7 Quarkus, Decision Manager, Jboss Fuse and 4 more | 2021-10-19 | 6.5 MEDIUM | 8.8 HIGH |
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. | |||||
CVE-2020-27782 | 1 Redhat | 3 Jboss Fuse, Openshift Application Runtimes, Undertow | 2021-02-26 | 7.8 HIGH | 7.5 HIGH |
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1. | |||||
CVE-2020-10734 | 1 Redhat | 4 Jboss Fuse, Keycloak, Openshift Application Runtimes and 1 more | 2021-02-26 | 2.1 LOW | 3.3 LOW |
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable. | |||||
CVE-2020-1717 | 1 Redhat | 4 Jboss Fuse, Keycloak, Openshift Application Runtimes and 1 more | 2021-02-17 | 4.0 MEDIUM | 2.7 LOW |
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. | |||||
CVE-2020-10758 | 1 Redhat | 3 Keycloak, Openshift Application Runtimes, Single Sign-on | 2021-02-03 | 5.0 MEDIUM | 7.5 HIGH |
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. | |||||
CVE-2020-14299 | 1 Redhat | 3 Jboss Enterprise Application Platform, Openshift Application Runtimes, Single Sign-on | 2020-10-27 | 6.3 MEDIUM | 6.5 MEDIUM |
A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability. | |||||
CVE-2020-1710 | 1 Redhat | 4 Jboss Data Grid, Jboss Enterprise Application Platform, Openshift Application Runtimes and 1 more | 2020-09-22 | 5.0 MEDIUM | 5.3 MEDIUM |
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400. | |||||
CVE-2020-1718 | 1 Redhat | 3 Jboss Fuse, Keycloak, Openshift Application Runtimes | 2020-05-14 | 6.5 MEDIUM | 8.8 HIGH |
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. | |||||
CVE-2020-1732 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Continuous Delivery, Openshift Application Runtimes and 1 more | 2020-05-08 | 4.9 MEDIUM | 4.2 MEDIUM |
A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request. | |||||
CVE-2020-1757 | 1 Redhat | 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Fuse and 3 more | 2020-04-30 | 5.5 MEDIUM | 8.1 HIGH |
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass. |