Single Sign-on@7.6 Security Vulnerabilities and Issues — Single Sign-on@7.6 CVE List

Lucene search

RedhatSingle Sign-on7.6

7 matches found

CVE•added 2023/09/25 8:15 p.m.•5274 views

CVE-2022-4137

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be...

8.1CVSS6.2AI score0.00393EPSS

CVE•added 2023/09/14 3:15 p.m.•2602 views

CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

7.5CVSS7.3AI score0.0481EPSS

CVE•added 2023/12/21 10:15 a.m.•2580 views

CVE-2023-2585

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible unauthorized access...

8.1CVSS5.6AI score0.00112EPSS

CVE•added 2023/09/27 3:18 p.m.•559 views

CVE-2023-3223

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass...

7.5CVSS7.3AI score0.00767EPSS

CVE•added 2023/09/20 3:15 p.m.•262 views

CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to ...

6.8CVSS7.1AI score0.00226EPSS

CVE•added 2023/12/14 6:15 p.m.•165 views

CVE-2023-6563

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab ...

7.7CVSS7.3AI score0.00304EPSS

CVE•added 2023/10/04 11:15 a.m.•138 views

CVE-2023-2422

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data that belongs to oth...

7.1CVSS6.5AI score0.00217EPSS