cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:text-only:*:*:*
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
Max CVSS
7.5
EPSS Score
0.13%
Published
2023-09-14
Updated
2023-11-16
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG.
Max CVSS
7.5
EPSS Score
0.29%
Published
2022-08-31
Updated
2022-11-07
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629.
Max CVSS
7.5
EPSS Score
0.10%
Published
2022-08-31
Updated
2022-11-07
A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
Max CVSS
6.7
EPSS Score
0.05%
Published
2022-08-24
Updated
2022-10-04
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Max CVSS
7.5
EPSS Score
12.73%
Published
2021-12-14
Updated
2023-12-22
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
Max CVSS
7.5
EPSS Score
0.13%
Published
2022-08-23
Updated
2023-07-07
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
Max CVSS
5.3
EPSS Score
0.07%
Published
2021-08-05
Updated
2021-10-20
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
Max CVSS
5.9
EPSS Score
0.09%
Published
2022-05-24
Updated
2022-11-10
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1.
Max CVSS
7.8
EPSS Score
0.09%
Published
2021-02-23
Updated
2021-02-27
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
Max CVSS
6.8
EPSS Score
0.07%
Published
2020-11-02
Updated
2023-02-12
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.
Max CVSS
7.5
EPSS Score
0.21%
Published
2020-10-06
Updated
2024-02-21
A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable.
Max CVSS
6.5
EPSS Score
0.07%
Published
2020-07-24
Updated
2023-02-12
A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability.
Max CVSS
6.5
EPSS Score
0.07%
Published
2020-10-16
Updated
2020-10-27
A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable.
Max CVSS
6.5
EPSS Score
0.07%
Published
2020-07-24
Updated
2023-12-29
A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.
Max CVSS
7.5
EPSS Score
0.10%
Published
2020-09-16
Updated
2021-02-03
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.
Max CVSS
3.3
EPSS Score
0.04%
Published
2021-02-11
Updated
2021-02-26
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
Max CVSS
6.5
EPSS Score
0.09%
Published
2020-05-26
Updated
2022-02-21
A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.
Max CVSS
7.5
EPSS Score
0.10%
Published
2020-06-10
Updated
2022-02-22
A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
Max CVSS
6.1
EPSS Score
0.12%
Published
2021-05-27
Updated
2022-05-13
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
Max CVSS
8.1
EPSS Score
0.06%
Published
2020-04-21
Updated
2020-04-30
A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request.
Max CVSS
4.9
EPSS Score
0.05%
Published
2020-05-04
Updated
2020-05-08
A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.
Max CVSS
4.3
EPSS Score
0.05%
Published
2020-05-11
Updated
2022-04-25
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.
Max CVSS
8.8
EPSS Score
0.08%
Published
2020-05-12
Updated
2020-05-14
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.
Max CVSS
4.0
EPSS Score
0.05%
Published
2021-02-11
Updated
2021-02-17
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
Max CVSS
8.8
EPSS Score
0.60%
Published
2020-05-13
Updated
2021-10-19
32 vulnerabilities found
1 2
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!