#Vulnerabilities 70
Date Id Summary Products Score Patch Annotated
2023-02-23 CVE-2022-4492 The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol. Build_of_quarkus, Integration_camel_for_spring_boot, Integration_camel_k, Integration_service_registry, Jboss_enterprise_application_platform, Jboss_fuse, Migration_toolkit_for_applications, Migration_toolkit_for_runtimes, Single_sign\-On, Undertow 7.5
2020-07-24 CVE-2020-14297 A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable. Amq, Jboss_enterprise_application_platform_continuous_delivery, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On 6.5
2020-07-24 CVE-2020-14307 A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable. Amq, Jboss_enterprise_application_platform_continuous_delivery, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On 6.5
2020-11-02 CVE-2020-25689 A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. Active_iq_unified_manager, Oncommand_insight, Service_level_manager, Fuse, Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Wildfly 6.5
2022-05-24 CVE-2021-3629 A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. Active_iq_unified_manager, Oncommand_insight, Oncommand_workflow_automation, Integration, Jboss_enterprise_application_platform, Single_sign\-On, Undertow, Wildfly_core 5.9
2018-11-13 CVE-2018-14657 A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce its protection measures. Keycloak, Single_sign\-On 8.1
2022-08-26 CVE-2021-3859 A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks. Cloud_secure_agent, Oncommand_insight, Oncommand_workflow_automation, Jboss_enterprise_application_platform, Single_sign\-On, Undertow 7.5
2019-07-29 CVE-2019-14379 in FasterXML jackson-databind before mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. Xcode, Debian_linux, Jackson\-Databind, Fedora, Active_iq_unified_manager, Oncommand_workflow_automation, Service_level_manager, Snapcenter, Banking_platform, Communications_diameter_signaling_router, Communications_instant_messaging_server, Financial_services_analytical_applications_infrastructure, Goldengate_stream_analytics, Jd_edwards_enterpriseone_orchestrator, Jd_edwards_enterpriseone_tools, Primavera_gateway, Primavera_unifier, Retail_customer_management_and_segmentation_foundation, Retail_xstore_point_of_service, Siebel_engineering_\-_installer_\&_deployment, Siebel_ui_framework, Jboss_enterprise_application_platform, Openshift_container_platform, Single_sign\-On 9.8
2022-08-23 CVE-2021-3827 A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. Keycloak, Openshift_container_platform, Single_sign\-On 6.8
2022-08-26 CVE-2021-3632 A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. Keycloak, Single_sign\-On 7.5