Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Single_sign\-On
(Redhat)| Repositories | https://github.com/FasterXML/jackson-databind |
| #Vulnerabilities | 94 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2018-07-23 | CVE-2018-10912 | keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server. | Keycloak, Single_sign\-On | 4.9 | ||
| 2021-02-11 | CVE-2020-10734 | A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable. | Jboss_fuse, Keycloak, Openshift_application_runtimes, Single_sign\-On | 3.3 | ||
| 2020-09-16 | CVE-2020-10758 | A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. | Keycloak, Openshift_application_runtimes, Single_sign\-On | 7.5 | ||
| 2019-10-14 | CVE-2019-14838 | A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server | Data_grid, Jboss_enterprise_application_platform, Single_sign\-On, Wildfly_core | 4.9 | ||
| 2020-01-07 | CVE-2019-14843 | A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue. | Jboss_enterprise_application_platform, Single_sign\-On | N/A | ||
| 2020-01-07 | CVE-2019-14837 | A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. | Keycloak, Single_sign\-On | N/A | ||
| 2019-08-14 | CVE-2019-10201 | It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. | Keycloak, Single_sign\-On | 8.1 | ||
| 2019-06-12 | CVE-2019-10157 | It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely. | Keycloak, Single_sign\-On | 5.5 | ||
| 2018-11-13 | CVE-2018-14655 | A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login. | Keycloak, Single_sign\-On | 5.4 | ||
| 2018-08-01 | CVE-2018-10894 | It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. | Keycloak, Single_sign\-On | 5.4 |