Single Sign On
by Red Hat
CVEs (33)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-6563 | 0.00 | — | 0.01 | Dec 14, 2023 | An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open… | |||
| CVE-2023-5379 | 0.00 | — | 0.01 | Dec 12, 2023 | A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens… | |||
| CVE-2023-2422 | 0.00 | — | 0.01 | Oct 4, 2023 | A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data… | |||
| CVE-2023-3223 | 0.00 | — | 0.02 | Sep 27, 2023 | A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size,… | |||
| CVE-2022-4245 | 0.00 | — | 0.01 | Sep 25, 2023 | A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. | |||
| CVE-2022-4244 | 0.00 | — | 0.01 | Sep 25, 2023 | A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file… | |||
| CVE-2022-4137 | 0.00 | — | 0.01 | Sep 25, 2023 | A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a… | |||
| CVE-2022-4039 | 0.00 | — | 0.01 | Sep 22, 2023 | A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in… | |||
| CVE-2022-3916 | 0.00 | — | 0.01 | Sep 20, 2023 | A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This… | |||
| CVE-2022-1438 | 0.00 | — | 0.01 | Sep 20, 2023 | A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability. | |||
| CVE-2022-2083 | 0.00 | — | 0.01 | Sep 5, 2022 | The Simple Single Sign On WordPress plugin through 4.1.0 leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site. | |||
| CVE-2022-1466 | 0.00 | — | 0.01 | Apr 26, 2022 | Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. | |||
| CVE-2020-14341 | 0.00 | — | 0.01 | Jan 12, 2021 | The "Test Connection" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user's choosing, and originating from the RHSSO installation. By observing… |
- CVE-2023-6563Dec 14, 2023risk 0.00cvss —epss 0.01
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open…
- CVE-2023-5379Dec 12, 2023risk 0.00cvss —epss 0.01
A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens…
- CVE-2023-2422Oct 4, 2023risk 0.00cvss —epss 0.01
A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client, therefore, access data…
- CVE-2023-3223Sep 27, 2023risk 0.00cvss —epss 0.02
A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size,…
- CVE-2022-4245Sep 25, 2023risk 0.00cvss —epss 0.01
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.
- CVE-2022-4244Sep 25, 2023risk 0.00cvss —epss 0.01
A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file…
- CVE-2022-4137Sep 25, 2023risk 0.00cvss —epss 0.01
A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a…
- CVE-2022-4039Sep 22, 2023risk 0.00cvss —epss 0.01
A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in…
- CVE-2022-3916Sep 20, 2023risk 0.00cvss —epss 0.01
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This…
- CVE-2022-1438Sep 20, 2023risk 0.00cvss —epss 0.01
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
- CVE-2022-2083Sep 5, 2022risk 0.00cvss —epss 0.01
The Simple Single Sign On WordPress plugin through 4.1.0 leaks its OAuth client_secret, which could be used by attackers to gain unauthorized access to the site.
- CVE-2022-1466Apr 26, 2022risk 0.00cvss —epss 0.01
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.
- CVE-2020-14341Jan 12, 2021risk 0.00cvss —epss 0.01
The "Test Connection" available in v7.x of the Red Hat Single Sign On application console can permit an authorized user to cause SMTP connections to be attempted to arbitrary hosts and ports of the user's choosing, and originating from the RHSSO installation. By observing…
Page 2 of 2