Filtered by vendor Redhat
Subscriptions
Filtered by product Rhosemc
Subscriptions
Total
105 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-2764 | 2 Netapp, Redhat | 11 Active Iq Unified Manager, Cloud Secure Agent, Oncommand Insight and 8 more | 2024-11-21 | 4.9 Medium |
| A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations. | ||||
| CVE-2022-27664 | 3 Fedoraproject, Golang, Redhat | 19 Fedora, Go, Acm and 16 more | 2024-11-21 | 7.5 High |
| In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. | ||||
| CVE-2022-25857 | 3 Debian, Redhat, Snakeyaml Project | 18 Debian Linux, Amq Broker, Amq Clients and 15 more | 2024-11-21 | 7.5 High |
| The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | ||||
| CVE-2022-23307 | 4 Apache, Oracle, Qos and 1 more | 44 Chainsaw, Log4j, Advanced Supply Chain Planning and 41 more | 2024-11-21 | 8.8 High |
| CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists. | ||||
| CVE-2022-23305 | 6 Apache, Broadcom, Netapp and 3 more | 46 Log4j, Brocade Sannav, Snapmanager and 43 more | 2024-11-21 | 9.8 Critical |
| By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | ||||
| CVE-2022-23302 | 6 Apache, Broadcom, Netapp and 3 more | 44 Log4j, Brocade Sannav, Snapmanager and 41 more | 2024-11-21 | 8.8 High |
| JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | ||||
| CVE-2022-1438 | 1 Redhat | 3 Keycloak, Red Hat Single Sign On, Rhosemc | 2024-11-21 | 6.4 Medium |
| A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability. | ||||
| CVE-2022-1274 | 1 Redhat | 10 Enterprise Linux, Enterprise Linux For Ibm Z Systems, Enterprise Linux For Ibm Z Systems Eus and 7 more | 2024-11-21 | 5.4 Medium |
| A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. | ||||
| CVE-2022-1245 | 1 Redhat | 3 Keycloak, Red Hat Single Sign On, Rhosemc | 2024-11-21 | 9.8 Critical |
| A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain unauthorized access to additional services. | ||||
| CVE-2021-4133 | 1 Redhat | 3 Keycloak, Red Hat Single Sign On, Rhosemc | 2024-11-21 | 8.8 High |
| A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. | ||||
| CVE-2021-4104 | 4 Apache, Fedoraproject, Oracle and 1 more | 59 Log4j, Fedora, Advanced Supply Chain Planning and 56 more | 2024-11-21 | 7.5 High |
| JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. | ||||
| CVE-2021-44906 | 2 Redhat, Substack | 12 Enterprise Linux, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 9 more | 2024-11-21 | 9.8 Critical |
| Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). | ||||
| CVE-2021-43565 | 2 Golang, Redhat | 9 Ssh, Acm, Advanced Cluster Security and 6 more | 2024-11-21 | 7.5 High |
| The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of golang.org/x/crypto allows an attacker to panic an SSH server. | ||||
| CVE-2021-40690 | 4 Apache, Debian, Oracle and 1 more | 27 Cxf, Santuario Xml Security For Java, Tomee and 24 more | 2024-11-21 | 7.5 High |
| All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. | ||||
| CVE-2021-3859 | 2 Netapp, Redhat | 11 Cloud Secure Agent, Oncommand Insight, Oncommand Workflow Automation and 8 more | 2024-11-21 | 7.5 High |
| A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks. | ||||
| CVE-2021-3827 | 1 Redhat | 6 Enterprise Linux, Keycloak, Openshift Container Platform and 3 more | 2024-11-21 | 6.8 Medium |
| A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. | ||||
| CVE-2021-32690 | 2 Helm, Redhat | 5 Helm, Acm, Advanced Cluster Security and 2 more | 2024-11-21 | 6.8 Medium |
| Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on. | ||||
| CVE-2021-20289 | 4 Netapp, Oracle, Quarkus and 1 more | 12 Oncommand Insight, Communications Cloud Native Core Console, Quarkus and 9 more | 2024-11-21 | 5.3 Medium |
| A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality. | ||||
| CVE-2021-0341 | 2 Google, Redhat | 7 Android, Amq Streams, Jboss Data Grid and 4 more | 2024-11-21 | 7.5 High |
| In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069 | ||||
| CVE-2020-28241 | 4 Debian, Fedoraproject, Maxmind and 1 more | 6 Debian Linux, Fedora, Libmaxminddb and 3 more | 2024-11-21 | 6.5 Medium |
| libmaxminddb before 1.4.3 has a heap-based buffer over-read in dump_entry_data_list in maxminddb.c. | ||||