SessionListener can prevent a session from being invalidated breaking logout

Impact If an exception is thrown from the SessionListenersessionDestroyed method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application us...

PT-2021-20482 · Accela · Accela Civic Platform

Name of the Vulnerable Software and Affected Versions: Accela Civic Platform versions prior to 20.2 Description: The issue allows for successURL XSS in the ssoAdapter/logoutAction.do endpoint. The vendor has stated that there are configurable security flags and they are unable to reproduce the...

Authentication flaw

The CTS Web transaction system related to authentication and session management is implemented incorrectly, which allows remote unauthenticated attackers can send a large number of valid usernames, and force those logged-in account to log out, causing the user to be unable to access the services...

CVE-2021-32541 SysJust CTS Web - Broken Access Control

The CTS Web transaction system related to authentication and session management is implemented incorrectly, which allows remote unauthenticated attackers can send a large number of valid usernames, and force those logged-in account to log out, causing the user to be unable to access the services...

Insecure Session Management

keycloak uses an insecure session management. The application may fail to invalidate user session if the logout request comes from external SAML identity provider that is set up to identify principal via attributes rather than Subject Name ID...

Moderate: Red Hat Security Advisory: Red Hat Single Sign-On 7.4.7 security update

A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute Name...

keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute Name...

Moderate: Red Hat Security Advisory: Red Hat Single Sign-On 7.4.7 security update on RHEL 8

New Red Hat Single Sign-On 7.4.7 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute Name...

keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute Name...

RHEL 7 : Red Hat Single Sign-On 7.4.7 security update on RHEL 7 (Moderate) (RHSA-2021:2064)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2064 advisory. Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single...

RHEL 6 : Red Hat Single Sign-On 7.4.7 security update on RHEL 6 (Moderate) (RHSA-2021:2063)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2063 advisory. Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single...

Open Redirect

Overview Flask-Security is a Simple security for Flask apps. Affected versions of this package are vulnerable to Open Redirect. When using the getpostlogoutredirect and getpostloginredirect functions, it is possible to bypass URL validation and redirect a user to an arbitrary URL by providing...

OESA-2021-1152 gnome-shell security update

The GNOME Shell redefines user interactions with the GNOME desktop. In particular, it offers new paradigms for launching applications, accessing documents, and organizing open windows in GNOME. Later, it will introduce a new applets eco-system and offer new solutions for other desktop features,...

CVE-2021-31409 Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19

Unsafe validation RegEx in EmailValidator component in com.vaadin:vaadin-compatibility-server versions 8.0.0 through 8.12.4 Vaadin versions 8.0.0 through 8.12.4 allows attackers to cause uncontrolled resource consumption by submitting malicious email addresses...

Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology

Summary Multiple vulnerabilities in the IBM Jazz Team Server affecting the following IBM Rational Products: Collaborative Lifecycle Management CLM, Rational DOORS Next Generation RDNG, Rational Engineering Lifecycle Manager RELM, Rational Team Concert RTC, Rational Quality Manager RQM, Rational...

CVE-2021-31408

The CVE-2021-31408 issue affects vaadin:flow-client: versions 5.0.0 prior to 6.0.0 (Vaadin 18) and 6.0.0 through 6.0.4 (Vaadin 19.0.0 through 19.0.3). The root cause is an incorrect HTTP method in Authentication.logout() combined with Spring Security CSRF protection, which, according to the provi...

Vaadin flow 代码问题漏洞

Vaadin flow is a software application. a Java framework for the Vaadin platform for building modern websites that look great, perform well and keep you and your users happy. A code issue vulnerability exists in vaadin:flow-client that allows a local attacker to access Fusion endpoints after a use...

GHSA-6HGR-2G6Q-3RMC Server session is not invalidated when logout() helper method of Authentication module is used in Vaadin 18-19

Authentication.logout helper in com.vaadin:flow-client versions 5.0.0 prior to 6.0.0 Vaadin 18, and 6.0.0 through 6.0.4 Vaadin 19.0.0 through 19.0.3 uses incorrect HTTP method, which, in combination with Spring Security CSRF protection, allows local attackers to access Fusion endpoints after the...