Skip to main content

Single Sign On

71 CVEs product

Monthly

CVE-2026-3009 Maven HIGH PATCH This Week

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowing attackers with knowledge of an IdP alias to reuse previous login requests and authenticate through administratively disabled external providers. This authentication bypass affects any Keycloak deployment relying on IdP disablement as an access control mechanism. An attacker can exploit this to gain unauthorized access by circumventing intended administrative restrictions on external authentication sources.

Authentication Bypass Build Of Keycloak Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Single Sign On
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-12543 Maven CRITICAL PATCH Act Now

Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal network scanning, and session hijacking. Affects a widely-used Java application server component.

Java Information Disclosure Process Automation Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform +5
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-9784 Maven HIGH PATCH GHSA This Week

Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.

Denial Of Service Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform Fuse Single Sign On +4
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2024-8883 Maven MEDIUM POC PATCH This Month

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Build Of Keycloak Openshift Container Platform Openshift Container Platform For Ibm Z Openshift Container Platform For Linuxone +2
NVD GitHub
CVSS 3.1
6.1
EPSS
2.0%
CVE-2024-7341 Maven HIGH PATCH This Month

A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Session Fixation Information Disclosure Keycloak Single Sign On Build Of Keycloak
NVD GitHub
CVSS 3.1
7.1
EPSS
1.7%
CVE-2024-4629 Maven MEDIUM PATCH This Month

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak Build Of Keycloak Single Sign On Openshift Container Platform +3
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2024-7885 Maven HIGH PATCH This Week

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Build Of Apache Camel Hawtio Build Of Apache Camel For Spring Boot Build Of Keycloak +6
NVD
CVSS 3.1
7.5
EPSS
2.6%
CVE-2024-1132 Maven HIGH PATCH This Week

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Build Of Keycloak Jboss Middleware Text Only Advisories Keycloak Migration Toolkit For Applications +6
NVD
CVSS 3.1
8.1
EPSS
1.6%
CVE-2024-1635 Maven HIGH PATCH This Week

A vulnerability was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Active Iq Unified Manager Oncommand Workflow Automation Fuse Integration Camel For Spring Boot +5
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2023-2585 Maven HIGH PATCH This Week

Keycloak's device authorization grant does not correctly validate the device code and client ID. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Single Sign On Openshift Container Platform Openshift Container Platform For Ibm Z Openshift Container Platform For Linuxone +1
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2023-6927 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Keycloak Single Sign On
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2023-48795 LIB MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js SSH Java +66
NVD GitHub
CVSS 3.1
5.9
EPSS
53.6%
Threat
4.3
CVE-2023-6134 Maven MEDIUM POC PATCH This Month

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Single Sign On Keycloak Openshift Container Platform Openshift Container Platform For Power +1
NVD
CVSS 3.1
5.4
EPSS
0.9%
CVE-2023-6563 Maven HIGH POC PATCH This Week

An unconstrained memory consumption vulnerability was discovered in Keycloak. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Keycloak Single Sign On Openshift Container Platform Openshift Container Platform For Power +1
NVD GitHub
CVSS 3.1
7.7
EPSS
1.2%
CVE-2023-5379 HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jboss Enterprise Application Platform Single Sign On Undertow
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-2422 Maven HIGH PATCH This Week

A flaw was found in Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Openshift Container Platform Single Sign On
NVD
CVSS 3.1
7.1
EPSS
0.5%
CVE-2023-3223 Maven HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Undertow Openshift Container Platform Openshift Container Platform For Ibm Linuxone Openshift Container Platform For Power +3
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2023-1108 Maven HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Decision Manager Fuse Integration Camel K +12
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2023-0264 Maven MEDIUM PATCH This Month

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Keycloak Single Sign On Openshift Container Platform Openshift Container Platform For Ibm Linuxone +1
NVD
CVSS 3.1
5.0
EPSS
1.3%
CVE-2023-1664 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Build Of Quarkus Jboss A Mq Keycloak Migration Toolkit For Runtimes +1
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2022-1278 Maven HIGH PATCH This Week

A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wildfly Amq Amq Online Integration Camel K +4
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-2764 MEDIUM This Month

A flaw was found in Undertow. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Integration Camel K Jboss Enterprise Application Platform Jboss Fuse Single Sign On +5
NVD
CVSS 3.1
4.9
EPSS
0.8%
CVE-2022-2256 Maven LOW PATCH Monitor

A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat XSS Single Sign On
NVD GitHub
CVSS 3.1
3.8
EPSS
0.6%
CVE-2022-1319 HIGH PATCH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Openshift Application Runtimes Single Sign On Undertow Active Iq Unified Manager +3
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2022-1259 HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Integration Camel K Jboss Enterprise Application Platform Openshift Application Runtimes +6
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-0225 Maven MEDIUM POC This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Keycloak Single Sign On
NVD GitHub
CVSS 3.1
5.4
EPSS
2.7%
CVE-2022-0084 Maven HIGH PATCH This Week

A flaw was found in XNIO, specifically in the notifyReadClosed method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Integration Camel K Integration Camel Quarkus Single Sign On Xnio
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2022-2668 Maven HIGH PATCH This Week

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.1
7.2
EPSS
0.9%
CVE-2022-1466 Maven MEDIUM POC PATCH This Month

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Red Hat Keycloak Single Sign On
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2022-0853 HIGH POC This Week

A flaw was found in JBoss-client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Descision Manager Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Process Automation +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-4104 Maven HIGH Act Now

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Epss exploitation probability 72.2% and no vendor patch available.

RCE Deserialization Apache Log4J Fedora +44
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
72.2%
CVE-2021-3637 Maven HIGH PATCH This Week

A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Keycloak Single Sign On
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-3424 Maven MEDIUM PATCH This Month

A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Red Hat Authentication Bypass Single Sign On
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2021-20262 Maven MEDIUM This Month

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak Single Sign On
NVD
CVSS 3.1
6.8
EPSS
0.3%
CVE-2020-25689 Maven MEDIUM POC PATCH This Month

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wildfly Fuse Jboss Data Grid Jboss Enterprise Application Platform +6
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2020-14299 MEDIUM This Month

A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jboss Enterprise Application Platform Openshift Application Runtimes Single Sign On
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-25644 Maven HIGH PATCH This Week

A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

OpenSSL Denial Of Service Wildfly Openssl Data Grid Jboss Data Grid +7
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2020-10687 Maven MEDIUM PATCH This Month

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS Request Smuggling Undertow Jboss Enterprise Application Platform Single Sign On
NVD
CVSS 3.1
4.8
EPSS
1.1%
CVE-2020-10748 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-10758 Maven HIGH PATCH This Week

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Keycloak Openshift Application Runtimes Single Sign On
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2020-1710 MEDIUM This Month

The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jboss Data Grid Jboss Enterprise Application Platform Openshift Application Runtimes Single Sign On
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2020-14307 MEDIUM This Month

A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Denial Of Service Red Hat Amq Jboss Enterprise Application Platform Continuous Delivery +3
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-14297 Maven MEDIUM PATCH This Month

A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Red Hat Amq Jboss Ejb Client Jboss Enterprise Application Platform Continuous Delivery +3
NVD
CVSS 3.1
6.5
EPSS
1.2%
CVE-2020-10719 Maven MEDIUM PATCH This Month

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Undertow Oncommand Insight Fuse +5
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2020-1714 Maven HIGH PATCH This Week

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Java RCE Keycloak Decision Manager Jboss Fuse +4
NVD GitHub
CVSS 3.1
8.8
EPSS
2.6%
CVE-2020-1724 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak in versions before 9.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Openshift Application Runtimes Single Sign On
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2020-1757 Maven HIGH PATCH This Week

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Undertow Jboss Data Grid Jboss Enterprise Application Platform Jboss Fuse +2
NVD
CVSS 3.1
8.1
EPSS
1.6%
CVE-2020-1697 Maven MEDIUM PATCH This Month

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2019-10174 Maven HIGH PATCH This Week

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Infinispan Fuse Jboss Data Grid Jboss Enterprise Application Platform +3
NVD
CVSS 3.1
8.8
EPSS
3.1%
CVE-2019-10219 Maven MEDIUM POC PATCH This Month

A vulnerability was found in Hibernate-Validator. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hibernate Validator Fuse Jboss Data Grid Jboss Enterprise Application Platform +184
NVD GitHub
CVSS 3.1
6.1
EPSS
2.2%
CVE-2019-14838 Maven MEDIUM PATCH This Month

A flaw was found in wildfly-core before 7.2.5.GA. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Wildfly Core Jboss Enterprise Application Platform Single Sign On Data Grid
NVD
CVSS 3.1
4.9
EPSS
1.1%
CVE-2019-10212 Maven CRITICAL PATCH Act Now

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Undertow Jboss Data Grid Jboss Enterprise Application Platform Jboss Fuse +3
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2019-10201 Maven HIGH PATCH This Week

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2019-9515 HIGH This Week

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server Ubuntu Linux Debian Linux +18
NVD GitHub
CVSS 3.1
7.5
EPSS
87.8%
CVE-2019-9514 Go HIGH PATCH This Week

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server Debian Linux Ubuntu Linux +24
NVD GitHub
CVSS 3.1
7.5
EPSS
82.8%
CVE-2019-3800 HIGH This Week

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Cloud Foundry Command Line Interface Cloud Foundry Command Line Interface Release Cloud Foundry Deployment Cloud Foundry Deployment Concourse Tasks +42
NVD
CVSS 3.0
7.8
EPSS
2.1%
CVE-2019-14379 Maven CRITICAL PATCH Act Now

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup),. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Java Prototype Pollution RCE Jackson Databind Debian Linux +22
NVD GitHub
CVSS 3.1
9.8
EPSS
8.0%
CVE-2019-10184 Maven HIGH PATCH This Week

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Undertow Jboss Data Grid Jboss Enterprise Application Platform Openshift Application Runtimes +2
NVD GitHub
CVSS 3.1
7.5
EPSS
3.5%
CVE-2019-3875 Maven MEDIUM PATCH This Month

A vulnerability was found in keycloak before 6.0.2. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.0
4.8
EPSS
0.3%
CVE-2019-3873 CRITICAL Act Now

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jboss Enterprise Application Platform Single Sign On
NVD
CVSS 3.0
9.0
EPSS
0.9%
CVE-2019-3872 MEDIUM This Month

It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jboss Enterprise Application Platform Single Sign On
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2019-10157 npm MEDIUM PATCH This Month

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Node.js Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.0
5.5
EPSS
0.2%
CVE-2018-14657 Maven HIGH PATCH This Week

A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.1
8.1
EPSS
1.2%
CVE-2018-14655 Maven MEDIUM This Month

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
CVSS 3.0
5.4
EPSS
1.2%
CVE-2018-10894 Maven MEDIUM PATCH This Month

It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Keycloak Single Sign On
NVD
CVSS 3.0
5.4
EPSS
0.4%
CVE-2018-10912 Maven MEDIUM PATCH This Month

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Keycloak Single Sign On
NVD
CVSS 3.1
4.9
EPSS
1.3%
CVE-2017-12159 Maven HIGH PATCH This Week

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Information Disclosure Single Sign On Keycloak
NVD
CVSS 3.0
7.5
EPSS
0.6%
CVE-2017-12158 Maven MEDIUM PATCH This Month

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

XSS Request Smuggling Single Sign On Keycloak
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2015-6854 CRITICAL Act Now

The non-Domino web agents in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, and R12.5 before CR5 allow remote attackers to cause a denial of. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Single Sign On
NVD
CVSS 3.0
9.1
EPSS
0.6%
CVE-2015-6853 CRITICAL Act Now

The Domino web agent in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, R12.5 before CR5, R12.51 before CR4, and R12.52 before SP1 CR3 allows. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Single Sign On
NVD
CVSS 3.0
9.1
EPSS
0.8%
CVE-2015-2281 HIGH POC THREAT Act Now

Stack-based buffer overflow in collectoragent.exe in Fortinet Single Sign On (FSSO) before build 164 allows remote attackers to execute arbitrary code via a large PROCESS_HELLO message to the Message. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 31.6%.

RCE Buffer Overflow Fortinet Single Sign On
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
31.6%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowing attackers with knowledge of an IdP alias to reuse previous login requests and authenticate through administratively disabled external providers. This authentication bypass affects any Keycloak deployment relying on IdP disablement as an access control mechanism. An attacker can exploit this to gain unauthorized access by circumventing intended administrative restrictions on external authentication sources.

Authentication Bypass Build Of Keycloak Jboss Enterprise Application Platform +2
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal network scanning, and session hijacking. Affects a widely-used Java application server component.

Java Information Disclosure Process Automation +7
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.

Denial Of Service Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform +6
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Build Of Keycloak Openshift Container Platform +4
NVD GitHub
EPSS 2% CVSS 7.1
HIGH PATCH This Month

A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Session Fixation Information Disclosure Keycloak +2
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak Build Of Keycloak +5
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Build Of Apache Camel Hawtio +8
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Build Of Keycloak Jboss Middleware Text Only Advisories +8
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Active Iq Unified Manager Oncommand Workflow Automation +7
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Keycloak's device authorization grant does not correctly validate the device code and client ID. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Single Sign On Openshift Container Platform +3
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Keycloak Single Sign On
NVD
EPSS 54% 4.3 CVSS 5.9
MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js +68
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Single Sign On Keycloak +3
NVD
EPSS 1% CVSS 7.7
HIGH POC PATCH This Week

An unconstrained memory consumption vulnerability was discovered in Keycloak. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Keycloak Single Sign On +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jboss Enterprise Application Platform Single Sign On +1
NVD
EPSS 1% CVSS 7.1
HIGH PATCH This Week

A flaw was found in Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Openshift Container Platform +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Undertow Openshift Container Platform +5
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Decision Manager +14
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Keycloak Single Sign On +3
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Build Of Quarkus Jboss A Mq +3
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wildfly Amq +6
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

A flaw was found in Undertow. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Integration Camel K Jboss Enterprise Application Platform +7
NVD
EPSS 1% CVSS 3.8
LOW PATCH Monitor

A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat XSS Single Sign On
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Openshift Application Runtimes Single Sign On +5
NVD GitHub
EPSS 1% CVSS 7.5
HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Integration Camel K +8
NVD
EPSS 3% CVSS 5.4
MEDIUM POC This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Keycloak Single Sign On
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in XNIO, specifically in the notifyReadClosed method. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Integration Camel K Integration Camel Quarkus +2
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Red Hat Keycloak +1
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

A flaw was found in JBoss-client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Descision Manager Jboss Enterprise Application Platform +3
NVD GitHub
EPSS 72% CVSS 7.5
HIGH Act Now

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Epss exploitation probability 72.2% and no vendor patch available.

RCE Deserialization Apache +46
NVD GitHub VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Keycloak Single Sign On
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Red Hat Authentication Bypass Single Sign On
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak Single Sign On
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wildfly Fuse +8
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jboss Enterprise Application Platform Openshift Application Runtimes +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

OpenSSL Denial Of Service Wildfly Openssl +9
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS Request Smuggling Undertow +2
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Keycloak Openshift Application Runtimes +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jboss Data Grid Jboss Enterprise Application Platform +2
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Denial Of Service Red Hat +5
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Red Hat Amq +5
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Undertow +7
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Java RCE Keycloak +6
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A flaw was found in Keycloak in versions before 9.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Openshift Application Runtimes +1
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Undertow Jboss Data Grid +4
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Infinispan Fuse +5
NVD
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

A vulnerability was found in Hibernate-Validator. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hibernate Validator Fuse +186
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

A flaw was found in wildfly-core before 7.2.5.GA. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Wildfly Core Jboss Enterprise Application Platform +2
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Undertow Jboss Data Grid +5
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
EPSS 88% CVSS 7.5
HIGH This Week

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server +20
NVD GitHub
EPSS 83% CVSS 7.5
HIGH PATCH This Week

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server +26
NVD GitHub
EPSS 2% CVSS 7.8
HIGH This Week

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Cloud Foundry Command Line Interface Cloud Foundry Command Line Interface Release +44
NVD
EPSS 8% CVSS 9.8
CRITICAL PATCH Act Now

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup),. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Java Prototype Pollution RCE +24
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Undertow Jboss Data Grid +4
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A vulnerability was found in keycloak before 6.0.2. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Keycloak Single Sign On
NVD
EPSS 1% CVSS 9.0
CRITICAL Act Now

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jboss Enterprise Application Platform Single Sign On
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jboss Enterprise Application Platform Single Sign On
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Node.js Information Disclosure Keycloak +1
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Keycloak Single Sign On
NVD
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Keycloak Single Sign On
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Information Disclosure Single Sign On +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

XSS Request Smuggling Single Sign On +1
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

The non-Domino web agents in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, and R12.5 before CR5 allow remote attackers to cause a denial of. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Single Sign On
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

The Domino web agent in CA Single Sign-On (aka SSO, formerly SiteMinder) R6, R12.0 before SP3 CR13, R12.0J before SP3 CR1.2, R12.5 before CR5, R12.51 before CR4, and R12.52 before SP1 CR3 allows. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Single Sign On
NVD
EPSS 32% CVSS 7.5
HIGH POC THREAT Act Now

Stack-based buffer overflow in collectoragent.exe in Fortinet Single Sign On (FSSO) before build 164 allows remote attackers to execute arbitrary code via a large PROCESS_HELLO message to the Message. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 31.6%.

RCE Buffer Overflow Fortinet +1
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy