Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

Red Hat Single Sign-On 7.6 For RHEL 8 Security Vulnerabilities

cve
cve

CVE-2023-6544

A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic...

5.4CVSS

6.6AI Score

0.0004EPSS

2024-04-25 04:15 PM
69
cve
cve

CVE-2023-6484

A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs...

5.3CVSS

7.5AI Score

0.0005EPSS

2024-04-25 04:15 PM
62
cve
cve

CVE-2024-1249

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin....

7.4CVSS

6.8AI Score

0.0004EPSS

2024-04-17 02:15 PM
242
cve
cve

CVE-2024-1132

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects...

8.1CVSS

6.4AI Score

0.0004EPSS

2024-04-17 02:15 PM
136
cve
cve

CVE-2024-1635

A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and...

7.5CVSS

7AI Score

0.0004EPSS

2024-02-19 10:15 PM
177
cve
cve

CVE-2023-6291

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other...

7.1CVSS

6.8AI Score

0.001EPSS

2024-01-26 03:15 PM
170
cve
cve

CVE-2023-2585

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized...

7.4AI Score

0.001EPSS

2023-12-21 09:24 AM
2247
cve
cve

CVE-2023-6927

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address...

6.8AI Score

0.001EPSS

2023-12-18 10:59 PM
71
cve
cve

CVE-2023-6134

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an...

5.9AI Score

0.001EPSS

2023-12-14 09:42 PM
101
cve
cve

CVE-2023-6563

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab ...

7.3AI Score

0.001EPSS

2023-12-14 06:01 PM
113
cve
cve

CVE-2023-2422

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to...

7.5AI Score

0.001EPSS

2023-10-04 10:59 AM
97
cve
cve

CVE-2023-3223

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to...

7.5CVSS

7.1AI Score

0.021EPSS

2023-09-27 03:18 PM
495
cve
cve

CVE-2022-4137

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to...

6.1CVSS

6AI Score

0.001EPSS

2023-09-25 08:15 PM
4881
cve
cve

CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to....

6.8CVSS

7.6AI Score

0.001EPSS

2023-09-20 03:15 PM
152
cve
cve

CVE-2022-1438

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS)...

4.8CVSS

6.4AI Score

0.001EPSS

2023-09-20 02:15 PM
2689
cve
cve

CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never...

7.5CVSS

7AI Score

0.001EPSS

2023-09-14 03:15 PM
2513