Filtered by vendor Redhat Subscriptions
Filtered by product Single Sign-on Subscriptions
Total 97 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-4361 1 Redhat 8 Enterprise Linux, Keycloak, Openshift Container Platform and 5 more 2024-11-21 10 Critical
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the redirect_uri.
CVE-2022-4137 1 Redhat 4 Enterprise Linux, Keycloak, Red Hat Single Sign On and 1 more 2024-11-21 8.1 High
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.
CVE-2022-4039 1 Redhat 8 Enterprise Linux, Openshift Container Platform, Openshift Container Platform For Ibm Z and 5 more 2024-11-21 8 High
A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration.
CVE-2022-3916 1 Redhat 9 Enterprise Linux, Keycloak, Openshift Container Platform and 6 more 2024-11-21 6.8 Medium
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
CVE-2022-2764 2 Netapp, Redhat 11 Active Iq Unified Manager, Cloud Secure Agent, Oncommand Insight and 8 more 2024-11-21 4.9 Medium
A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.
CVE-2022-2668 1 Redhat 3 Keycloak, Red Hat Single Sign On, Single Sign-on 2024-11-21 7.2 High
An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled
CVE-2022-2256 1 Redhat 2 Red Hat Single Sign On, Single Sign-on 2024-11-21 3.8 Low
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
CVE-2022-2237 1 Redhat 3 Keycloak Node.js Adapter, Red Hat Single Sign On, Single Sign-on 2024-11-21 6.1 Medium
A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.
CVE-2022-1466 1 Redhat 3 Keycloak, Red Hat Single Sign On, Single Sign-on 2024-11-21 6.5 Medium
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
CVE-2022-1319 2 Netapp, Redhat 10 Active Iq Unified Manager, Cloud Secure Agent, Oncommand Insight and 7 more 2024-11-21 7.5 High
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
CVE-2022-1278 1 Redhat 10 Amq, Amq Broker, Amq Online and 7 more 2024-11-21 7.5 High
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
CVE-2022-1274 1 Redhat 10 Enterprise Linux, Enterprise Linux For Ibm Z Systems, Enterprise Linux For Ibm Z Systems Eus and 7 more 2024-11-21 5.4 Medium
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
CVE-2022-1259 2 Netapp, Redhat 11 Active Iq Unified Manager, Cloud Secure Agent, Oncommand Insight and 8 more 2024-11-21 7.5 High
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.
CVE-2022-0853 1 Redhat 6 Descision Manager, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Expansion Pack and 3 more 2024-11-21 7.5 High
A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability.
CVE-2022-0225 1 Redhat 3 Keycloak, Red Hat Single Sign On, Single Sign-on 2024-11-21 5.4 Medium
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
CVE-2022-0084 1 Redhat 8 Integration Camel K, Integration Camel Quarkus, Jboss Data Grid and 5 more 2024-11-21 7.5 High
A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
CVE-2021-4104 4 Apache, Fedoraproject, Oracle and 1 more 59 Log4j, Fedora, Advanced Supply Chain Planning and 56 more 2024-11-21 7.5 High
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2021-3859 2 Netapp, Redhat 11 Cloud Secure Agent, Oncommand Insight, Oncommand Workflow Automation and 8 more 2024-11-21 7.5 High
A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks.
CVE-2021-3827 1 Redhat 6 Enterprise Linux, Keycloak, Openshift Container Platform and 3 more 2024-11-21 6.8 Medium
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.
CVE-2021-3754 1 Redhat 2 Keycloak, Single Sign-on 2024-11-21 5.3 Medium
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.