Vulnerabilites related to redhat - openshift_container_platform_ibm_z_systems
Vulnerability from fkie_nvd
Published
2023-08-04 18:15
Modified
2024-11-21 07:36
Severity ?
Summary
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2023-0264 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2023-0264 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", matchCriteriaId: "738E7B84-4EE9-40BF-BA2B-792E5620C117", versionEndExcluding: "18.0.6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*", matchCriteriaId: "BCDDF884-6BF1-4EE8-990E-4DAB22BC5EEB", versionEndExcluding: "7.6.2", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*", matchCriteriaId: "81609549-25CE-4C8A-9DE3-170D23704208", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*", matchCriteriaId: "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.9:*:*:*:*:*:*:*", matchCriteriaId: "8C519B1A-1CD6-426C-9339-F28E4FEF581B", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:*:*:*:*:*:*:*", matchCriteriaId: "91EE3858-A648-44B4-B282-8F808D88D3B9", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:*", matchCriteriaId: "CC262C4C-7B6A-4117-A50F-1FF69296DDD8", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*", matchCriteriaId: "E58526FB-522F-4AAC-B03C-9CAB443D0CFF", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*", matchCriteriaId: "BCDDF884-6BF1-4EE8-990E-4DAB22BC5EEB", versionEndExcluding: "7.6.2", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.", }, { lang: "es", value: "Se ha encontrado un fallo en la autenticación de usuarios en OpenID Connect de Keycloak, que podría autenticar incorrectamente las solicitudes. Un atacante autenticado que pudiera obtener información de una solicitud de usuario dentro del mismo entorno, podría utilizar esos datos para hacerse pasar por la víctima y generar nuevos tokens de sesión. Este problema podría afectar a la confidencialidad, integridad y disponibilidad.\n", }, ], id: "CVE-2023-0264", lastModified: "2024-11-21T07:36:51.503", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 3.4, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-08-04T18:15:11.090", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-0264", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-0264", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-07-05 13:15
Modified
2024-11-21 08:16
Severity ?
7.0 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2023-3089 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2212085 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2023-3089 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2212085 | Issue Tracking, Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*", matchCriteriaId: "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*", matchCriteriaId: "C7E78C55-45B6-4E01-9773-D3468F8EA9C3", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.11:*:*:*:*:*:*:*", matchCriteriaId: "6E34F566-0753-43D5-AC76-E47C738C9DD4", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*", matchCriteriaId: "54E24055-813B-4E6D-94B7-FAD5F78B8537", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.11:*:*:*:*:*:*:*", matchCriteriaId: "6B2EF9F6-CE0A-48FA-87E5-77F94363B540", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*", matchCriteriaId: "E58526FB-522F-4AAC-B03C-9CAB443D0CFF", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.11:*:*:*:*:*:*:*", matchCriteriaId: "22DFC1BF-2EC4-4102-97D0-BC9F75C94F71", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.10:*:*:*:*:*:*:*", matchCriteriaId: "BBDCFC8C-E397-4972-88BE-9911C000EC5E", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.11:*:*:*:*:*:*:*", matchCriteriaId: "C8DC4AA4-6C52-42A4-A314-7E2F4D5AB620", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.12:*:*:*:*:*:*:*", matchCriteriaId: "E52D8667-D64B-4E4D-972F-089A2D834C34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.12:*:*:*:*:*:*:*", matchCriteriaId: "1E5E9340-DD85-4B10-9A1D-9021C95229A9", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.12:*:*:*:*:*:*:*", matchCriteriaId: "2127E592-F973-4244-9793-680736EC5313", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.12:*:*:*:*:*:*:*", matchCriteriaId: "608FBE62-5A35-4C7A-BBC7-E0D05E09008B", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.12:*:*:*:*:*:*:*", matchCriteriaId: "E52D8667-D64B-4E4D-972F-089A2D834C34", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.", }, ], id: "CVE-2023-3089", lastModified: "2024-11-21T08:16:25.273", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 4.7, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-07-05T13:15:09.707", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-3089", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2212085", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-3089", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2212085", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-693", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-521", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-12-14 22:15
Modified
2024-11-21 08:43
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | single_sign-on | * | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | enterprise_linux | 9.0 | |
| redhat | keycloak | * | |
| redhat | openshift_container_platform | 4.11 | |
| redhat | openshift_container_platform | 4.12 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | openshift_container_platform_for_power | 4.9 | |
| redhat | openshift_container_platform_for_power | 4.10 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | openshift_container_platform_ibm_z_systems | 4.9 | |
| redhat | openshift_container_platform_ibm_z_systems | 4.10 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | single_sign-on | - |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*", matchCriteriaId: "700E09EA-C73C-4F05-9B7D-D4894C29AEC9", versionEndExcluding: "7.6", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", matchCriteriaId: "66A01C0F-CB27-4A62-9B86-C35CCD605AB6", versionEndExcluding: "22.0.7", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*", matchCriteriaId: "EA983F8C-3A06-450A-AEFF-9429DE9A3454", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*", matchCriteriaId: "40449571-22F8-44FA-B57B-B43F71AB25E2", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*", matchCriteriaId: "30E2CF79-2D56-48AB-952E-5DDAFE471073", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*", matchCriteriaId: "54E24055-813B-4E6D-94B7-FAD5F78B8537", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:*", matchCriteriaId: "CC262C4C-7B6A-4117-A50F-1FF69296DDD8", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*", matchCriteriaId: "E58526FB-522F-4AAC-B03C-9CAB443D0CFF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.", }, { lang: "es", value: "Se encontró una falla en Keycloak que impide ciertos esquemas en las redirecciones, pero los permite si se agrega un comodín al token. Este problema podría permitir que un atacante envíe una solicitud especialmente manipulada que dé lugar a cross-site scripting (XSS) o más ataques. Esta falla es el resultado de una solución incompleta para CVE-2020-10748.", }, ], id: "CVE-2023-6134", lastModified: "2024-11-21T08:43:12.193", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.6, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 2.5, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-12-14T22:15:44.087", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7854", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7855", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7856", }, { source: "secalert@redhat.com", tags: [ "Exploit", "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7857", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7858", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7860", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7861", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:0798", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:0799", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:0800", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:0801", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:0804", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-6134", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2249673", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7854", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7855", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7856", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7857", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7858", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7860", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:7861", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2024:0798", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2024:0799", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2024:0800", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2024:0801", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2024:0804", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-6134", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2249673", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-11-01 14:15
Modified
2024-12-06 11:15
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | openshift_container_platform_for_arm64 | 4.12 | |
| redhat | openshift_container_platform_for_linuxone | 4.12 | |
| redhat | openshift_container_platform_for_power | 4.12 | |
| redhat | openshift_container_platform_ibm_z_systems | 4.12 | |
| redhat | enterprise_linux | 8.0 | |
| redhat | enterprise_linux | 9.0 | |
| redhat | openstack_platform | 17.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.12:*:*:*:*:*:*:*", matchCriteriaId: "E52D8667-D64B-4E4D-972F-089A2D834C34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.12:*:*:*:*:*:*:*", matchCriteriaId: "1E5E9340-DD85-4B10-9A1D-9021C95229A9", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.12:*:*:*:*:*:*:*", matchCriteriaId: "2127E592-F973-4244-9793-680736EC5313", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.12:*:*:*:*:*:*:*", matchCriteriaId: "608FBE62-5A35-4C7A-BBC7-E0D05E09008B", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openstack_platform:17.1:*:*:*:*:*:*:*", matchCriteriaId: "E315FC5C-FF19-43C9-A58A-CF2A5FF13824", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products.", }, { lang: "es", value: "Se introdujo una regresión en la compilación de Red Hat de python-eventlet debido a un cambio en la estrategia de aplicación del parche, lo que provocó que no se aplicara un parche para CVE-2021-21419 para todas las compilaciones de todos los productos.", }, ], id: "CVE-2023-5625", lastModified: "2024-12-06T11:15:07.640", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-11-01T14:15:38.897", references: [ { source: "secalert@redhat.com", tags: [ "Patch", "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:6128", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:0188", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2024:0213", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-5625", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2244717", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:6128", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2024:0188", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2024:0213", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-5625", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2244717", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-770", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-23 21:15
Modified
2025-02-25 20:15
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2023-0056 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2023-0056 | Vendor Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:haproxy:haproxy:-:*:*:*:*:*:*:*", matchCriteriaId: "68833392-03CF-4C78-B499-EB2B8C1335D6", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:ceph_storage:5.0:*:*:*:*:*:*:*", matchCriteriaId: "4E37E1B3-6F68-4502-85D6-68333643BDFF", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*", matchCriteriaId: "749804DA-4B27-492A-9ABA-6BB562A6B3AC", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*", matchCriteriaId: "40449571-22F8-44FA-B57B-B43F71AB25E2", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.12:*:*:*:*:*:*:*", matchCriteriaId: "948DF974-D58C-41D3-9024-1C7D260D822F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.12:*:*:*:*:*:*:*", matchCriteriaId: "2127E592-F973-4244-9793-680736EC5313", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.12:*:*:*:*:*:*:*", matchCriteriaId: "608FBE62-5A35-4C7A-BBC7-E0D05E09008B", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:arm64:*", matchCriteriaId: "4E5177BE-F2A0-4148-AA26-E1C8D3B75D13", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:arm64:*", matchCriteriaId: "1E5CB8B9-F3B7-478E-94EA-705BDBE902D9", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:arm64:*", matchCriteriaId: "36DBD95A-D9C8-47CB-AD0E-F37255E237EB", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*", matchCriteriaId: "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.10:*:*:*:*:*:*:*", matchCriteriaId: "91EE3858-A648-44B4-B282-8F808D88D3B9", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*", matchCriteriaId: "54E24055-813B-4E6D-94B7-FAD5F78B8537", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*", matchCriteriaId: "E58526FB-522F-4AAC-B03C-9CAB443D0CFF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*", matchCriteriaId: "EA983F8C-3A06-450A-AEFF-9429DE9A3454", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.11:*:*:*:*:*:*:*", matchCriteriaId: "1104A2D0-B813-41B0-A6FB-677A3FC249BE", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.11:*:*:*:*:*:*:*", matchCriteriaId: "6B2EF9F6-CE0A-48FA-87E5-77F94363B540", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.11:*:*:*:*:*:*:*", matchCriteriaId: "22DFC1BF-2EC4-4102-97D0-BC9F75C94F71", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*", matchCriteriaId: "40449571-22F8-44FA-B57B-B43F71AB25E2", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_ibm_linuxone:4.12:*:*:*:*:*:*:*", matchCriteriaId: "948DF974-D58C-41D3-9024-1C7D260D822F", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.12:*:*:*:*:*:*:*", matchCriteriaId: "2127E592-F973-4244-9793-680736EC5313", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.12:*:*:*:*:*:*:*", matchCriteriaId: "608FBE62-5A35-4C7A-BBC7-E0D05E09008B", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "BB176AC3-3CDA-4DDA-9089-C67B2F73AA62", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.", }, ], id: "CVE-2023-0056", lastModified: "2025-02-25T20:15:31.793", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-03-23T21:15:19.087", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-0056", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2023-0056", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "nvd@nist.gov", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2023-09-25 20:15
Modified
2024-11-21 07:35
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2023:1033 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/errata/RHSA-2023:1503 | Third Party Advisory | |
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2022-4318 | Third Party Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2152703 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2023:1033 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2023:1503 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2022-4318 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2152703 | Issue Tracking, Third Party Advisory |
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:kubernetes:cri-o:-:*:*:*:*:*:*:*", matchCriteriaId: "A283D260-73A3-481A-9E98-4C4604020B83", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.12:*:*:*:*:*:*:*", matchCriteriaId: "E52D8667-D64B-4E4D-972F-089A2D834C34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.12:*:*:*:*:*:*:*", matchCriteriaId: "1E5E9340-DD85-4B10-9A1D-9021C95229A9", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.12:*:*:*:*:*:*:*", matchCriteriaId: "2127E592-F973-4244-9793-680736EC5313", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.12:*:*:*:*:*:*:*", matchCriteriaId: "608FBE62-5A35-4C7A-BBC7-E0D05E09008B", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.12:*:*:*:*:*:*:*", matchCriteriaId: "E52D8667-D64B-4E4D-972F-089A2D834C34", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.12:*:*:*:*:*:*:*", matchCriteriaId: "1E5E9340-DD85-4B10-9A1D-9021C95229A9", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.12:*:*:*:*:*:*:*", matchCriteriaId: "2127E592-F973-4244-9793-680736EC5313", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.12:*:*:*:*:*:*:*", matchCriteriaId: "608FBE62-5A35-4C7A-BBC7-E0D05E09008B", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "BB176AC3-3CDA-4DDA-9089-C67B2F73AA62", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", matchCriteriaId: "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", vulnerable: true, }, { criteria: "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", matchCriteriaId: "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.11:*:*:*:*:*:*:*", matchCriteriaId: "C8DC4AA4-6C52-42A4-A314-7E2F4D5AB620", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.11:*:*:*:*:*:*:*", matchCriteriaId: "6E34F566-0753-43D5-AC76-E47C738C9DD4", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.11:*:*:*:*:*:*:*", matchCriteriaId: "6B2EF9F6-CE0A-48FA-87E5-77F94363B540", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.11:*:*:*:*:*:*:*", matchCriteriaId: "22DFC1BF-2EC4-4102-97D0-BC9F75C94F71", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.", }, { lang: "es", value: "Se encontró una vulnerabilidad en cri-o. Este problema permite la adición de líneas arbitrarias en /etc/passwd mediante el uso de una variable de entorno especialmente manipulada.", }, ], id: "CVE-2022-4318", lastModified: "2024-11-21T07:35:01.550", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-09-25T20:15:10.590", references: [ { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1033", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1503", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2022-4318", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2152703", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1033", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1503", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2022-4318", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Third Party Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2152703", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-538", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-913", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-09-20 15:15
Modified
2024-11-21 07:20
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", matchCriteriaId: "53DA67A0-2E85-499E-B8E1-2B12C433BC29", versionEndExcluding: "20.0.2", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:single_sign-on:7.6:*:*:*:*:*:*:*", matchCriteriaId: "2DEC61BC-E699-456E-99B6-C049F2A5F23F", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.9:*:*:*:*:*:*:*", matchCriteriaId: "81609549-25CE-4C8A-9DE3-170D23704208", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.10:*:*:*:*:*:*:*", matchCriteriaId: "0595C9F8-9C7A-4FC1-B7EE-52978A1B1E93", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*", matchCriteriaId: "B02036DD-4489-480B-B7D4-4EB08952377B", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*", matchCriteriaId: "C7E78C55-45B6-4E01-9773-D3468F8EA9C3", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*", matchCriteriaId: "30E2CF79-2D56-48AB-952E-5DDAFE471073", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*", matchCriteriaId: "54E24055-813B-4E6D-94B7-FAD5F78B8537", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:*", matchCriteriaId: "CC262C4C-7B6A-4117-A50F-1FF69296DDD8", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*", matchCriteriaId: "E58526FB-522F-4AAC-B03C-9CAB443D0CFF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.", }, { lang: "es", value: "Se encontró una falla en el alcance offline_access en Keycloak. Este problema afectaría más a los usuarios de ordenadores compartidos (especialmente si las cookies no se borran), debido a la falta de validación de la sesión root y a la reutilización de los identificadores de sesión en las sesiones de autenticación de usuario y root. Esto permite a un atacante resolver una sesión de usuario adjunta a un usuario previamente autenticado; al utilizar el token de actualización, se les emitirá un token para el usuario original.", }, ], id: "CVE-2022-3916", lastModified: "2024-11-21T07:20:31.480", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.2, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 5.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-09-20T15:15:11.583", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2022:8961", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2022:8962", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2022:8963", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2022:8964", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2022:8965", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1043", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1044", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1045", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1047", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1049", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2022-3916", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2141404", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2022:8961", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2022:8962", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2022:8963", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2022:8964", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2022:8965", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1043", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1044", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1045", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1047", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2023:1049", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2022-3916", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2141404", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-384", }, ], source: "secalert@redhat.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-613", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-09-03 20:15
Modified
2024-11-21 09:43
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
References
Impacted products
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:keycloak:*:*:*:*:*:*:*:*", matchCriteriaId: "EEB94F86-A977-493B-9F12-6991F84F955C", versionEndExcluding: "24.0.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*", matchCriteriaId: "395F9BD6-C79B-442A-AA00-F96CA978B910", versionEndExcluding: "22.012", versionStartIncluding: "22.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*", matchCriteriaId: "341E6313-20D5-44CB-9719-B20585DC5AD6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:single_sign-on:*:*:*:*:*:*:*:*", matchCriteriaId: "92BC930F-97E8-4FA9-80C5-3A8DB327990B", versionEndExcluding: "7.6.10", versionStartIncluding: "7.6", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "7F6FB57C-2BC7-487C-96DD-132683AEB35D", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.11:*:*:*:*:*:*:*", matchCriteriaId: "EA983F8C-3A06-450A-AEFF-9429DE9A3454", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform:4.12:*:*:*:*:*:*:*", matchCriteriaId: "40449571-22F8-44FA-B57B-B43F71AB25E2", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.9:*:*:*:*:*:*:*", matchCriteriaId: "B02036DD-4489-480B-B7D4-4EB08952377B", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_linuxone:4.10:*:*:*:*:*:*:*", matchCriteriaId: "C7E78C55-45B6-4E01-9773-D3468F8EA9C3", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.9:*:*:*:*:*:*:*", matchCriteriaId: "30E2CF79-2D56-48AB-952E-5DDAFE471073", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.10:*:*:*:*:*:*:*", matchCriteriaId: "54E24055-813B-4E6D-94B7-FAD5F78B8537", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.9:*:*:*:*:*:*:*", matchCriteriaId: "CC262C4C-7B6A-4117-A50F-1FF69296DDD8", vulnerable: true, }, { criteria: "cpe:2.3:a:redhat:openshift_container_platform_ibm_z_systems:4.10:*:*:*:*:*:*:*", matchCriteriaId: "E58526FB-522F-4AAC-B03C-9CAB443D0CFF", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", matchCriteriaId: "F4CFF558-3C47-480D-A2F0-BABF26042943", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.", }, { lang: "es", value: "Se encontró una vulnerabilidad en Keycloak. Esta falla permite a los atacantes eludir la protección por fuerza bruta al explotar el tiempo de los intentos de inicio de sesión. Al iniciar múltiples solicitudes de inicio de sesión simultáneamente, los atacantes pueden superar los límites configurados para intentos fallidos antes de que el sistema los bloquee. Esta falla de tiempo permite a los atacantes realizar más intentos de adivinar contraseñas de lo previsto, lo que podría comprometer la seguridad de las cuentas en los sistemas afectados.", }, ], id: "CVE-2024-4629", lastModified: "2024-11-21T09:43:14.917", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "secalert@redhat.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-09-03T20:15:09.003", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2024:6493", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2024:6494", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2024:6495", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2024:6497", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2024:6499", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2024:6500", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/errata/RHSA-2024:6501", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://access.redhat.com/security/cve/CVE-2024-4629", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2276761", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-837", }, ], source: "secalert@redhat.com", type: "Primary", }, ], }
CVE-2022-4318 (GCVE-0-2022-4318)
Vulnerability from cvelistv5
Published
2023-09-25 19:23
Modified
2024-08-03 01:34
Severity ?
EPSS score ?
Summary
A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2023:1033 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:1503 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2022-4318 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2152703 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Red Hat OpenShift Container Platform 4.11 |
Unaffected: 0:1.24.4-10.rhaos4.11.git1ed5ac5.el8 < * cpe:/a:redhat:openshift:4.11::el8 |
|||||||||||
|
||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-4318", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-05-10T20:59:14.761359Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:16:34.476Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-03T01:34:50.124Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2023:1033", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1033", }, { name: "RHSA-2023:1503", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1503", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2022-4318", }, { name: "RHBZ#2152703", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2152703", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift:4.11::el8", ], defaultStatus: "affected", packageName: "cri-o", product: "Red Hat OpenShift Container Platform 4.11", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.24.4-10.rhaos4.11.git1ed5ac5.el8", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift:4.12::el8", "cpe:/a:redhat:openshift:4.12::el9", ], defaultStatus: "affected", packageName: "cri-o", product: "Red Hat OpenShift Container Platform 4.12", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:1.25.2-9.rhaos4.12.git0a083f9.el9", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9", ], defaultStatus: "unaffected", packageName: "fence-agents", product: "Red Hat Enterprise Linux 9", vendor: "Red Hat", }, ], credits: [ { lang: "en", value: "Red Hat would like to thank Burt Holzman (Fermilab) for reporting this issue.", }, ], datePublic: "2022-12-12T00:00:00+00:00", descriptions: [ { lang: "en", value: "A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-538", description: "Insertion of Sensitive Information into Externally-Accessible File or Directory", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-03T15:32:28.840Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2023:1033", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1033", }, { name: "RHSA-2023:1503", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1503", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2022-4318", }, { name: "RHBZ#2152703", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2152703", }, ], timeline: [ { lang: "en", time: "2022-12-12T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2022-12-12T00:00:00+00:00", value: "Made public.", }, ], title: "Cri-o: /etc/passwd tampering privesc", x_redhatCweChain: "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2022-4318", datePublished: "2023-09-25T19:23:02.119Z", dateReserved: "2022-12-06T23:45:50.138Z", dateUpdated: "2024-08-03T01:34:50.124Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-0056 (GCVE-0-2023-0056)
Vulnerability from cvelistv5
Published
2023-03-23 00:00
Modified
2025-02-25 19:35
Severity ?
EPSS score ?
Summary
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T04:54:32.577Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-0056", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2023-0056", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-25T19:35:23.746547Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-25T19:35:27.521Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "haproxy", vendor: "n/a", versions: [ { status: "affected", version: "unknown", }, ], }, ], descriptions: [ { lang: "en", value: "An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-03-23T00:00:00.000Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { url: "https://access.redhat.com/security/cve/CVE-2023-0056", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-0056", datePublished: "2023-03-23T00:00:00.000Z", dateReserved: "2023-01-04T00:00:00.000Z", dateUpdated: "2025-02-25T19:35:27.521Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-5625 (GCVE-0-2023-5625)
Vulnerability from cvelistv5
Published
2023-11-01 13:28
Modified
2024-12-06 11:11
Severity ?
EPSS score ?
Summary
A regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2023:6128 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:0188 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:0213 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2023-5625 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2244717 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Ironic content for Red Hat OpenShift Container Platform 4.12 |
Unaffected: 0:0.30.2-4.el9 < * cpe:/a:redhat:openshift_ironic:4.12::el9 cpe:/a:redhat:openshift:4.12::el8 cpe:/a:redhat:openshift:4.12::el9 |
|||||||||||
|
||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-5625", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-31T20:10:57.417193Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-31T20:14:12.227Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T08:07:32.226Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2023:6128", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:6128", }, { name: "RHSA-2024:0188", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:0188", }, { name: "RHSA-2024:0213", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:0213", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-5625", }, { name: "RHBZ#2244717", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2244717", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_ironic:4.12::el9", "cpe:/a:redhat:openshift:4.12::el8", "cpe:/a:redhat:openshift:4.12::el9", ], defaultStatus: "affected", packageName: "python-eventlet", product: "Ironic content for Red Hat OpenShift Container Platform 4.12", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:0.30.2-4.el9", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:17.1::el8", ], defaultStatus: "affected", packageName: "python-eventlet", product: "Red Hat OpenStack Platform 17.1 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:0.30.2-4.el8ost", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:17.1::el9", ], defaultStatus: "affected", packageName: "python-eventlet", product: "Red Hat OpenStack Platform 17.1 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:0.30.2-4.el9ost", versionType: "rpm", }, ], }, ], datePublic: "2023-10-17T00:00:00+00:00", descriptions: [ { lang: "en", value: "A regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-770", description: "Allocation of Resources Without Limits or Throttling", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-12-06T11:11:24.792Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2023:6128", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:6128", }, { name: "RHSA-2024:0188", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:0188", }, { name: "RHSA-2024:0213", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:0213", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-5625", }, { name: "RHBZ#2244717", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2244717", }, ], timeline: [ { lang: "en", time: "2023-10-17T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-10-17T00:00:00+00:00", value: "Made public.", }, ], title: "Python-eventlet: patch regression for cve-2021-21419 in some red hat builds", x_redhatCweChain: "CWE-770: Allocation of Resources Without Limits or Throttling", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-5625", datePublished: "2023-11-01T13:28:10.190Z", dateReserved: "2023-10-17T22:35:25.280Z", dateUpdated: "2024-12-06T11:11:24.792Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-0264 (GCVE-0-2023-0264)
Vulnerability from cvelistv5
Published
2023-08-04 17:09
Modified
2024-08-02 05:02
Severity ?
EPSS score ?
Summary
A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| redhat.com | Keycloak |
Version: 18.0.6 ≤ |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:02:44.110Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-0264", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Keycloak", vendor: "redhat.com", versions: [ { lessThan: "18.0.6", status: "affected", version: "18.0.6", versionType: "semver", }, ], }, ], descriptions: [ { lang: "en", value: "A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session tokens. This issue could impact confidentiality, integrity, and availability.", }, ], providerMetadata: { dateUpdated: "2023-08-04T17:09:27.693Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { url: "https://access.redhat.com/security/cve/CVE-2023-0264", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-0264", datePublished: "2023-08-04T17:09:27.693Z", dateReserved: "2023-01-12T23:10:37.812Z", dateUpdated: "2024-08-02T05:02:44.110Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2024-4629 (GCVE-0-2024-4629)
Vulnerability from cvelistv5
Published
2024-09-03 19:42
Modified
2025-01-28 09:33
Severity ?
EPSS score ?
Summary
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2024:6493 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:6494 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:6495 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:6497 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:6499 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:6500 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:6501 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2024-4629 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2276761 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ |
Version: 24.0.3 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-4629", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-03T20:20:28.329028Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-03T20:20:42.938Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-11-14T16:59:26.284Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://security.humanativaspa.it/an-analysis-of-the-keycloak-authentication-system/", }, { url: "https://github.com/hnsecurity/vulns/blob/main/HNS-2024-09-Keycloak.md", }, ], title: "CVE Program Container", x_generator: { engine: "ADPogram 0.0.1", }, }, ], cna: { affected: [ { collectionURL: "https://github.com/keycloak/keycloak", packageName: "keycloak", versions: [ { status: "affected", version: "24.0.3", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:build_keycloak:22", ], defaultStatus: "unaffected", packageName: "org.keycloak-keycloak-parent", product: "Red Hat Build of Keycloak", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:build_keycloak:22::el9", ], defaultStatus: "affected", packageName: "rhbk/keycloak-operator-bundle", product: "Red Hat build of Keycloak 22", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "22.0.12-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:build_keycloak:22::el9", ], defaultStatus: "affected", packageName: "rhbk/keycloak-rhel9", product: "Red Hat build of Keycloak 22", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "22-17", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:build_keycloak:22::el9", ], defaultStatus: "affected", packageName: "rhbk/keycloak-rhel9-operator", product: "Red Hat build of Keycloak 22", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "22-20", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6", ], defaultStatus: "unaffected", packageName: "org.keycloak-keycloak-parent", product: "Red Hat Single Sign-On 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.16-1.redhat_00001.1.el7sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.16-1.redhat_00001.1.el8sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.16-1.redhat_00001.1.el9sso", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rh-sso-7/sso76-openshift-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.6-52", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:jboss_enterprise_application_platform:8", ], defaultStatus: "affected", packageName: "org.keycloak-keycloak-parent", product: "Red Hat JBoss Enterprise Application Platform 8", vendor: "Red Hat", }, ], datePublic: "2024-09-03T19:38:00.000Z", descriptions: [ { lang: "en", value: "A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Low", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-837", description: "Improper Enforcement of a Single, Unique Action", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-01-28T09:33:25.316Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2024:6493", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:6493", }, { name: "RHSA-2024:6494", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:6494", }, { name: "RHSA-2024:6495", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:6495", }, { name: "RHSA-2024:6497", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:6497", }, { name: "RHSA-2024:6499", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:6499", }, { name: "RHSA-2024:6500", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:6500", }, { name: "RHSA-2024:6501", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:6501", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2024-4629", }, { name: "RHBZ#2276761", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2276761", }, ], timeline: [ { lang: "en", time: "2024-04-23T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-09-03T19:38:00+00:00", value: "Made public.", }, ], title: "Keycloak: potential bypass of brute force protection", workarounds: [ { lang: "en", value: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", }, ], x_redhatCweChain: "CWE-837: Improper Enforcement of a Single, Unique Action", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2024-4629", datePublished: "2024-09-03T19:42:01.318Z", dateReserved: "2024-05-07T20:47:03.184Z", dateUpdated: "2025-01-28T09:33:25.316Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2022-3916 (GCVE-0-2022-3916)
Vulnerability from cvelistv5
Published
2023-09-20 14:28
Modified
2024-08-03 01:20
Severity ?
EPSS score ?
Summary
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Red Hat Single Sign-On 7 |
cpe:/a:redhat:red_hat_single_sign_on:7.6 |
||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2022-3916", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-13T20:08:01.880629Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-13T20:08:13.820Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-03T01:20:58.791Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2022:8961", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2022:8961", }, { name: "RHSA-2022:8962", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2022:8962", }, { name: "RHSA-2022:8963", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2022:8963", }, { name: "RHSA-2022:8964", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2022:8964", }, { name: "RHSA-2022:8965", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2022:8965", }, { name: "RHSA-2023:1043", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1043", }, { name: "RHSA-2023:1044", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1044", }, { name: "RHSA-2023:1045", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1045", }, { name: "RHSA-2023:1047", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1047", }, { name: "RHSA-2023:1049", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:1049", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2022-3916", }, { name: "RHBZ#2141404", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2141404", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6", ], defaultStatus: "unaffected", packageName: "keycloak", product: "Red Hat Single Sign-On 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6.1", ], defaultStatus: "unaffected", packageName: "keycloak", product: "Red Hat Single Sign-On 7.6.1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.3-1.redhat_00002.1.el7sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.6-1.redhat_00001.1.el7sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.3-1.redhat_00002.1.el8sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.6-1.redhat_00001.1.el8sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.3-1.redhat_00002.1.el9sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.6-1.redhat_00001.1.el9sso", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rh-sso-7/sso76-openshift-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.6-15", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rh-sso-7/sso76-openshift-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.6-20", versionType: "rpm", }, ], }, ], credits: [ { lang: "en", value: "Red Hat would like to thank Peter Flintholm (Trifork) for reporting this issue.", }, ], datePublic: "2022-11-09T00:00:00+00:00", descriptions: [ { lang: "en", value: "A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-384", description: "Session Fixation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-03T15:32:25.617Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2022:8961", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2022:8961", }, { name: "RHSA-2022:8962", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2022:8962", }, { name: "RHSA-2022:8963", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2022:8963", }, { name: "RHSA-2022:8964", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2022:8964", }, { name: "RHSA-2022:8965", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2022:8965", }, { name: "RHSA-2023:1043", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1043", }, { name: "RHSA-2023:1044", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1044", }, { name: "RHSA-2023:1045", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1045", }, { name: "RHSA-2023:1047", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1047", }, { name: "RHSA-2023:1049", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:1049", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2022-3916", }, { name: "RHBZ#2141404", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2141404", }, ], timeline: [ { lang: "en", time: "2022-11-09T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2022-11-09T00:00:00+00:00", value: "Made public.", }, ], title: "Keycloak: session takeover with oidc offline refreshtokens", x_redhatCweChain: "CWE-384: Session Fixation", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2022-3916", datePublished: "2023-09-20T14:28:52.089Z", dateReserved: "2022-11-09T16:12:41.804Z", dateUpdated: "2024-08-03T01:20:58.791Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-3089 (GCVE-0-2023-3089)
Vulnerability from cvelistv5
Published
2023-07-05 12:21
Modified
2024-10-24 19:13
Severity ?
EPSS score ?
Summary
A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-3089 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2212085 | issue-tracking, x_refsource_REDHAT |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T06:41:04.166Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-3089", }, { name: "RHBZ#2212085", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2212085", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-3089", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-10-24T19:12:21.482201Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-24T19:13:59.907Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "openshift", vendor: "n/a", versions: [ { status: "unaffected", version: "4.12.0", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:serverless:1", ], defaultStatus: "affected", packageName: "(as-yet-unknown)", product: "OpenShift Serverless", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_mesh:2.2", ], defaultStatus: "affected", packageName: "(as-yet-unknown)", product: "OpenShift Service Mesh 2.2.x", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_mesh:2.3", ], defaultStatus: "affected", packageName: "(as-yet-unknown)", product: "OpenShift Service Mesh 2.3.x", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:service_mesh:2.4", ], defaultStatus: "affected", packageName: "(as-yet-unknown)", product: "OpenShift Service Mesh 2.4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:acm:2", ], defaultStatus: "affected", packageName: "(as-yet-unknown)", product: "Red Hat Advanced Cluster Management for Kubernetes 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:amq_streams:1", ], defaultStatus: "affected", packageName: "(as-yet-unknown)", product: "Red Hat JBoss A-MQ Streams", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift:3.11", ], defaultStatus: "unaffected", packageName: "openshift", product: "Red Hat OpenShift Container Platform 3.11", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift:4", ], defaultStatus: "affected", packageName: "openshift", product: "Red Hat OpenShift Container Platform 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift:4", ], defaultStatus: "affected", packageName: "openshift-ansible", product: "Red Hat OpenShift Container Platform 4", vendor: "Red Hat", }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:openshift:4", ], defaultStatus: "affected", packageName: "openshift-golang-builder-container", product: "Red Hat OpenShift Container Platform 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_data_foundation:4", ], defaultStatus: "affected", packageName: "(as-yet-unknown)", product: "Red Hat Openshift Data Foundation 4", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift_sandboxed_containers:1", ], defaultStatus: "affected", packageName: "(as-yet-unknown)", product: "Red Hat Openshift sandboxed containers", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:container_native_virtualization:4", ], defaultStatus: "affected", packageName: "(as-yet-unknown)", product: "Red Hat OpenShift Virtualization 4", vendor: "Red Hat", }, ], credits: [ { lang: "en", value: "This issue was discovered by David Benoit (Red Hat).", }, ], datePublic: "2023-07-05T12:00:00Z", descriptions: [ { lang: "en", value: "A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-693", description: "Protection Mechanism Failure", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-05T12:21:03.036Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-3089", }, { name: "RHBZ#2212085", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2212085", }, ], timeline: [ { lang: "en", time: "2023-06-03T00:00:00Z", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-07-05T12:00:00Z", value: "Made public.", }, ], title: "Ocp & fips mode", workarounds: [ { lang: "en", value: "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected packages as soon as possible.", }, ], x_redhatCweChain: "CWE-166->CWE-693: Improper Handling of Missing Special Element leads to Protection Mechanism Failure", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-3089", datePublished: "2023-07-05T12:21:03.036Z", dateReserved: "2023-06-03T17:29:23.874Z", dateUpdated: "2024-10-24T19:13:59.907Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
CVE-2023-6134 (GCVE-0-2023-6134)
Vulnerability from cvelistv5
Published
2023-12-14 21:42
Modified
2024-11-23 03:37
Severity ?
EPSS score ?
Summary
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2023:7854 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7855 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7856 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7857 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7858 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7860 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2023:7861 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:0798 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:0799 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:0800 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:0801 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:0804 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2023-6134 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2249673 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Red Hat build of Keycloak 22 |
Unaffected: 22.0.7-1 < * cpe:/a:redhat:build_keycloak:22::el9 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T08:21:17.735Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2023:7854", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7854", }, { name: "RHSA-2023:7855", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7855", }, { name: "RHSA-2023:7856", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7856", }, { name: "RHSA-2023:7857", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7857", }, { name: "RHSA-2023:7858", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7858", }, { name: "RHSA-2023:7860", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7860", }, { name: "RHSA-2023:7861", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2023:7861", }, { name: "RHSA-2024:0798", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:0798", }, { name: "RHSA-2024:0799", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:0799", }, { name: "RHSA-2024:0800", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:0800", }, { name: "RHSA-2024:0801", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:0801", }, { name: "RHSA-2024:0804", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:0804", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-6134", }, { name: "RHBZ#2249673", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2249673", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:build_keycloak:22::el9", ], defaultStatus: "affected", packageName: "rhbk/keycloak-operator-bundle", product: "Red Hat build of Keycloak 22", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "22.0.7-1", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:build_keycloak:22::el9", ], defaultStatus: "affected", packageName: "rhbk/keycloak-rhel9", product: "Red Hat build of Keycloak 22", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "22-6", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:build_keycloak:22::el9", ], defaultStatus: "affected", packageName: "rhbk/keycloak-rhel9-operator", product: "Red Hat build of Keycloak 22", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "22-9", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:build_keycloak:22", ], defaultStatus: "unaffected", packageName: "keycloak-core", product: "Red Hat build of Keycloak 22.0.7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6", ], defaultStatus: "unaffected", packageName: "keycloak-core", product: "Red Hat Single Sign-On 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.11-2.redhat_00003.1.el7sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 7", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.12-1.redhat_00001.1.el7sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.11-2.redhat_00003.1.el8sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.12-1.redhat_00001.1.el8sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.11-2.redhat_00003.1.el9sso", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", ], defaultStatus: "affected", packageName: "rh-sso7-keycloak", product: "Red Hat Single Sign-On 7.6 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:18.0.12-1.redhat_00001.1.el9sso", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rh-sso-7/sso76-openshift-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.6-38", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rh-sso-7/sso7-rhel8-operator-bundle", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.6.6-2", versionType: "rpm", }, ], }, { collectionURL: "https://catalog.redhat.com/software/containers/", cpes: [ "cpe:/a:redhat:rhosemc:1.0::el8", ], defaultStatus: "affected", packageName: "rh-sso-7/sso76-openshift-rhel8", product: "RHEL-8 based Middleware Containers", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "7.6-41", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", cpes: [ "cpe:/a:redhat:red_hat_single_sign_on:7.6.6", ], defaultStatus: "unaffected", packageName: "keycloak-core", product: "Single Sign-On 7.6.6", vendor: "Red Hat", }, ], credits: [ { lang: "en", value: "Red Hat would like to thank Lauritz Holtmann (https://security.lauritz-holtmann.de/) for reporting this issue.", }, ], datePublic: "2023-11-14T00:00:00+00:00", descriptions: [ { lang: "en", value: "A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.6, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-23T03:37:59.109Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2023:7854", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7854", }, { name: "RHSA-2023:7855", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7855", }, { name: "RHSA-2023:7856", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7856", }, { name: "RHSA-2023:7857", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7857", }, { name: "RHSA-2023:7858", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7858", }, { name: "RHSA-2023:7860", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7860", }, { name: "RHSA-2023:7861", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2023:7861", }, { name: "RHSA-2024:0798", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:0798", }, { name: "RHSA-2024:0799", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:0799", }, { name: "RHSA-2024:0800", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:0800", }, { name: "RHSA-2024:0801", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:0801", }, { name: "RHSA-2024:0804", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:0804", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-6134", }, { name: "RHBZ#2249673", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2249673", }, ], timeline: [ { lang: "en", time: "2023-11-07T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-11-14T00:00:00+00:00", value: "Made public.", }, ], title: "Keycloak: reflected xss via wildcard in oidc redirect_uri", x_redhatCweChain: "CWE-74->CWE-79: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') leads to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-6134", datePublished: "2023-12-14T21:42:12.160Z", dateReserved: "2023-11-14T18:50:13.535Z", dateUpdated: "2024-11-23T03:37:59.109Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }