Filtered by vendor Redhat Subscriptions
Filtered by product Red Hat Single Sign On Subscriptions
Total 207 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-45787 2 Apache, Redhat 6 James, Jboss Enterprise Application Platform, Quarkus and 3 more 2024-11-21 5.5 Medium
Unproper laxist permissions on the temporary files used by MIME4J TempFileStorageProvider may lead to information disclosure to other local users. This issue affects Apache James MIME4J version 0.8.8 and prior versions. We recommend users to upgrade to MIME4j version 0.8.9 or later.
CVE-2022-45693 3 Debian, Jettison Project, Redhat 9 Debian Linux, Jettison, Camel Spring Boot and 6 more 2024-11-21 7.5 High
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
CVE-2022-45047 2 Apache, Redhat 12 Sshd, Camel Spring Boot, Jboss Data Grid and 9 more 2024-11-21 9.8 Critical
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
CVE-2022-42004 5 Debian, Fasterxml, Netapp and 2 more 19 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 16 more 2024-11-21 7.5 High
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
CVE-2022-42003 5 Debian, Fasterxml, Netapp and 2 more 20 Debian Linux, Jackson-databind, Oncommand Workflow Automation and 17 more 2024-11-21 7.5 High
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
CVE-2022-41881 3 Debian, Netty, Redhat 13 Debian Linux, Netty, Camel Quarkus and 10 more 2024-11-21 5.3 Medium
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
CVE-2022-41854 3 Fedoraproject, Redhat, Snakeyaml Project 13 Fedora, Amq Clients, Camel Spring Boot and 10 more 2024-11-21 5.8 Medium
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
CVE-2022-40150 3 Debian, Jettison Project, Redhat 10 Debian Linux, Jettison, Amq Streams and 7 more 2024-11-21 6.5 Medium
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
CVE-2022-40149 3 Debian, Jettison Project, Redhat 10 Debian Linux, Jettison, Amq Streams and 7 more 2024-11-21 6.5 Medium
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
CVE-2022-3916 1 Redhat 9 Enterprise Linux, Keycloak, Openshift Container Platform and 6 more 2024-11-21 6.8 Medium
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
CVE-2022-3782 1 Redhat 8 Amq Broker, Jboss Enterprise Bpms Platform, Keycloak and 5 more 2024-11-21 9.1 Critical
keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.
CVE-2022-38752 2 Redhat, Snakeyaml Project 9 Amq Streams, Camel Spring Boot, Jboss Data Grid and 6 more 2024-11-21 6.5 Medium
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
CVE-2022-38751 3 Debian, Redhat, Snakeyaml Project 9 Debian Linux, Amq Broker, Camel Spring Boot and 6 more 2024-11-21 6.5 Medium
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CVE-2022-38750 3 Debian, Redhat, Snakeyaml Project 9 Debian Linux, Amq Broker, Camel Spring Boot and 6 more 2024-11-21 6.5 Medium
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CVE-2022-38749 3 Debian, Redhat, Snakeyaml Project 11 Debian Linux, Amq Broker, Amq Clients and 8 more 2024-11-21 6.5 Medium
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
CVE-2022-37603 2 Redhat, Webpack.js 8 Jboss Data Grid, Logging, Migration Toolkit Applications and 5 more 2024-11-21 7.5 High
A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.
CVE-2022-31129 4 Debian, Fedoraproject, Momentjs and 1 more 17 Debian Linux, Fedora, Moment and 14 more 2024-11-21 7.5 High
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.
CVE-2022-2764 2 Netapp, Redhat 11 Active Iq Unified Manager, Cloud Secure Agent, Oncommand Insight and 8 more 2024-11-21 4.9 Medium
A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations.
CVE-2022-2668 1 Redhat 3 Keycloak, Red Hat Single Sign On, Single Sign-on 2024-11-21 7.2 High
An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled
CVE-2022-2256 1 Redhat 2 Red Hat Single Sign On, Single Sign-on 2024-11-21 3.8 Low
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.