VYPR

Wildfly Elytron

by Red Hat

Source repositories

CVEs (4)

  • CVE-2024-1233HigApr 9, 2024
    risk 0.41cvss 7.3epss 0.01

    A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request…

  • CVE-2023-6236HigApr 10, 2024
    risk 0.40cvss 7.3epss 0.00

    A flaw was found in Red Hat Enterprise Application Platform 8. When an OIDC app that serves multiple tenants attempts to access the second tenant, it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying…

  • CVE-2024-12369MedDec 9, 2024
    risk 0.20cvss 4.2epss 0.00

    A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's…

  • CVE-2022-3143Jan 11, 2023
    risk 0.00cvss epss 0.01

    wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use…