Filtered by vendor Redhat
Subscriptions
Filtered by product Openshift Application Runtimes
Subscriptions
Total
33 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2019-10212 | 2 Netapp, Redhat | 8 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 5 more | 2022-02-20 | 9.8 Critical |
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. | ||||
CVE-2019-10184 | 2 Netapp, Redhat | 7 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 4 more | 2022-02-20 | 7.5 High |
undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. | ||||
CVE-2019-3888 | 2 Netapp, Redhat | 7 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 4 more | 2022-02-20 | 9.8 Critical |
A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange) | ||||
CVE-2019-14887 | 1 Redhat | 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Fuse and 3 more | 2021-11-02 | 9.1 Critical |
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. | ||||
CVE-2021-3642 | 2 Quarkus, Redhat | 13 Quarkus, Build Of Quarkus, Codeready Studio and 10 more | 2021-10-20 | 5.3 Medium |
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. | ||||
CVE-2020-1714 | 2 Quarkus, Redhat | 7 Quarkus, Decision Manager, Jboss Fuse and 4 more | 2021-10-19 | 8.8 High |
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. | ||||
CVE-2020-27782 | 1 Redhat | 3 Jboss Fuse, Openshift Application Runtimes, Undertow | 2021-02-27 | 7.5 High |
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1. | ||||
CVE-2020-10734 | 1 Redhat | 4 Jboss Fuse, Keycloak, Openshift Application Runtimes and 1 more | 2021-02-26 | 3.3 Low |
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable. | ||||
CVE-2020-1717 | 1 Redhat | 4 Jboss Fuse, Keycloak, Openshift Application Runtimes and 1 more | 2021-02-17 | 2.7 Low |
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. | ||||
CVE-2020-10758 | 1 Redhat | 3 Keycloak, Openshift Application Runtimes, Single Sign-on | 2021-02-03 | 7.5 High |
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. | ||||
CVE-2020-14299 | 1 Redhat | 3 Jboss Enterprise Application Platform, Openshift Application Runtimes, Single Sign-on | 2020-10-27 | 6.5 Medium |
A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability. | ||||
CVE-2020-1710 | 1 Redhat | 4 Jboss Data Grid, Jboss Enterprise Application Platform, Openshift Application Runtimes and 1 more | 2020-09-22 | 5.3 Medium |
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400. | ||||
CVE-2020-1757 | 1 Redhat | 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Fuse and 3 more | 2020-04-30 | 8.1 High |
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass. |