Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Single_sign\-On
(Redhat)Repositories | https://github.com/FasterXML/jackson-databind |
#Vulnerabilities | 93 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2020-01-07 | CVE-2019-14837 | A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. | Keycloak, Single_sign\-On | N/A | ||
2019-08-14 | CVE-2019-10201 | It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the <Signature> sections, the message is still accepted, and the message can be modified. An attacker could use this flaw to impersonate other users and gain access to sensitive information. | Keycloak, Single_sign\-On | 8.1 | ||
2019-06-12 | CVE-2019-10157 | It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could prevent user access indefinitely. | Keycloak, Single_sign\-On | 5.5 | ||
2018-11-13 | CVE-2018-14655 | A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login. | Keycloak, Single_sign\-On | 5.4 | ||
2018-08-01 | CVE-2018-10894 | It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks. | Keycloak, Single_sign\-On | 5.4 | ||
2019-06-12 | CVE-2019-3873 | It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks. | Jboss_enterprise_application_platform, Single_sign\-On | 9.0 | ||
2019-06-12 | CVE-2019-3875 | A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The CRL are often available over the network through unsecured protocols ('http' or 'ldap') and hence the caller should verify the signature and possibly the certification path. Keycloak currently doesn't validate... | Keycloak, Single_sign\-On | 4.8 | ||
2019-06-12 | CVE-2019-3872 | It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks. | Jboss_enterprise_application_platform, Single_sign\-On | 5.4 | ||
2019-03-27 | CVE-2018-10934 | A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users. | Jboss_enterprise_application_platform, Single_sign\-On | 5.4 |