Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Redhat Subscribe
Filtered by product Single Sign-on
Total 74 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-1278 1 Redhat 8 Amq, Amq Online, Integration Camel K and 5 more 2023-03-22 N/A 7.5 HIGH
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
CVE-2022-4492 1 Redhat 10 Build Of Quarkus, Integration Camel For Spring Boot, Integration Camel K and 7 more 2023-03-06 N/A 7.5 HIGH
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.
CVE-2023-0091 1 Redhat 2 Keycloak, Single Sign-on 2023-02-22 N/A 3.8 LOW
A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.
CVE-2020-25689 2 Netapp, Redhat 10 Active Iq Unified Manager, Oncommand Insight, Service Level Manager and 7 more 2023-02-12 6.8 MEDIUM 6.5 MEDIUM
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-14307 1 Redhat 5 Amq, Jboss Enterprise Application Platform Continuous Delivery, Jboss Fuse and 2 more 2023-02-12 4.0 MEDIUM 6.5 MEDIUM
A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable.
CVE-2020-14297 1 Redhat 5 Amq, Jboss Enterprise Application Platform Continuous Delivery, Jboss Fuse and 2 more 2023-02-12 4.0 MEDIUM 6.5 MEDIUM
A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable.
CVE-2021-3629 2 Netapp, Redhat 9 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 6 more 2023-02-07 4.3 MEDIUM 5.9 MEDIUM
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final.
CVE-2018-14657 1 Redhat 3 Keycloak, Linux, Single Sign-on 2023-02-02 4.3 MEDIUM 8.1 HIGH
A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures.
CVE-2023-0105 1 Redhat 2 Keycloak, Single Sign-on 2023-01-23 N/A 6.5 MEDIUM
A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.
CVE-2021-3859 2 Netapp, Redhat 6 Cloud Secure Agent, Oncommand Insight, Oncommand Workflow Automation and 3 more 2022-12-12 N/A 7.5 HIGH
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
CVE-2019-14379 7 Apple, Debian, Fasterxml and 4 more 25 Xcode, Debian Linux, Jackson-databind and 22 more 2022-12-02 7.5 HIGH 9.8 CRITICAL
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
CVE-2021-3827 1 Redhat 4 Enterprise Linux, Keycloak, Openshift Container Platform and 1 more 2022-11-30 N/A 6.8 MEDIUM
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.
CVE-2021-3632 1 Redhat 3 Enterprise Linux, Keycloak, Single Sign-on 2022-11-23 N/A 7.5 HIGH
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
CVE-2021-3597 2 Netapp, Redhat 9 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 6 more 2022-11-10 2.6 LOW 5.9 MEDIUM
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
CVE-2021-3717 1 Redhat 4 Enterprise Linux, Jboss Enterprise Application Platform, Single Sign-on and 1 more 2022-11-10 4.6 MEDIUM 7.8 HIGH
A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0.
CVE-2019-14885 1 Redhat 2 Jboss Enterprise Application Platform, Single Sign-on 2022-11-07 4.0 MEDIUM 4.3 MEDIUM
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information.
CVE-2020-25644 2 Netapp, Redhat 10 Oncommand Insight, Oncommand Workflow Automation, Service Level Manager and 7 more 2022-11-07 5.0 MEDIUM 7.5 HIGH
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2022-2764 2 Netapp, Redhat 9 Active Iq Unified Manager, Cloud Secure Agent, Oncommand Insight and 6 more 2022-11-07 N/A 4.9 MEDIUM
A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.
CVE-2022-1319 2 Netapp, Redhat 7 Active Iq Unified Manager, Cloud Secure Agent, Oncommand Insight and 4 more 2022-11-07 N/A 7.5 HIGH
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
CVE-2022-1259 2 Netapp, Redhat 10 Active Iq Unified Manager, Cloud Secure Agent, Oncommand Insight and 7 more 2022-11-07 N/A 7.5 HIGH
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.