Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Redhat Subscribe
Filtered by product Single Sign-on
Total 74 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-10174 3 Infinispan, Netapp, Redhat 8 Infinispan, Active Iq Unified Manager, Enterprise Linux and 5 more 2022-02-19 6.5 MEDIUM 8.8 HIGH
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
CVE-2019-10212 2 Netapp, Redhat 8 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 5 more 2022-02-19 4.3 MEDIUM 9.8 CRITICAL
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.
CVE-2019-10184 2 Netapp, Redhat 7 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 4 more 2022-02-19 5.0 MEDIUM 7.5 HIGH
undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.
CVE-2019-14887 1 Redhat 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Fuse and 3 more 2021-11-02 6.4 MEDIUM 9.1 CRITICAL
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
CVE-2019-14820 1 Redhat 4 Jboss Enterprise Application Platform, Jboss Fuse, Keycloak and 1 more 2021-10-29 4.0 MEDIUM 4.3 MEDIUM
It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.
CVE-2020-1714 2 Quarkus, Redhat 7 Quarkus, Decision Manager, Jboss Fuse and 4 more 2021-10-19 6.5 MEDIUM 8.8 HIGH
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
CVE-2021-3637 1 Redhat 2 Keycloak, Single Sign-on 2021-07-13 5.0 MEDIUM 7.5 HIGH
A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack.
CVE-2020-27826 1 Redhat 2 Keycloak, Single Sign-on 2021-06-04 4.9 MEDIUM 4.2 MEDIUM
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
CVE-2020-10695 1 Redhat 1 Single Sign-on 2021-06-03 4.6 MEDIUM 7.8 HIGH
An insecure modification flaw in the /etc/passwd file was found in the redhat-sso-7 container. An attacker with access to the container can use this flaw to modify the /etc/passwd and escalate their privileges.
CVE-2018-10912 1 Redhat 2 Keycloak, Single Sign-on 2021-04-21 4.0 MEDIUM 4.9 MEDIUM
keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.
CVE-2020-27838 1 Redhat 2 Keycloak, Single Sign-on 2021-03-15 4.3 MEDIUM 6.5 MEDIUM
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this vulnerability is to data confidentiality.
CVE-2021-20262 1 Redhat 2 Keycloak, Single Sign-on 2021-03-15 4.6 MEDIUM 6.8 MEDIUM
A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-10734 1 Redhat 4 Jboss Fuse, Keycloak, Openshift Application Runtimes and 1 more 2021-02-26 2.1 LOW 3.3 LOW
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.
CVE-2020-1717 1 Redhat 4 Jboss Fuse, Keycloak, Openshift Application Runtimes and 1 more 2021-02-17 4.0 MEDIUM 2.7 LOW
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.
CVE-2020-10758 1 Redhat 3 Keycloak, Openshift Application Runtimes, Single Sign-on 2021-02-03 5.0 MEDIUM 7.5 HIGH
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.
CVE-2020-14341 1 Redhat 1 Single Sign-on 2021-01-19 4.0 MEDIUM 2.7 LOW
The "Test Connection" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user's choosing, and originating from the RHSSO installation. By observing differences in the timings of these scans, an attacker may glean information about hosts and ports which they do not have access to scan directly.
CVE-2020-14299 1 Redhat 3 Jboss Enterprise Application Platform, Openshift Application Runtimes, Single Sign-on 2020-10-27 6.3 MEDIUM 6.5 MEDIUM
A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability.
CVE-2018-12023 5 Debian, Fasterxml, Fedoraproject and 2 more 11 Debian Linux, Jackson-databind, Fedora and 8 more 2020-10-20 5.1 MEDIUM 7.5 HIGH
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2018-12022 5 Debian, Fasterxml, Fedoraproject and 2 more 11 Debian Linux, Jackson-databind, Fedora and 8 more 2020-10-20 5.1 MEDIUM 7.5 HIGH
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2019-14838 1 Redhat 5 Data Grid, Enterprise Linux, Jboss Enterprise Application Platform and 2 more 2020-10-13 4.0 MEDIUM 4.9 MEDIUM
A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server