The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Red Hat Single Sign-On

vulnerability announce CVE-2019-3888

Undertow: information disclosure via UndertowLogger.REQUEST_LOGGER.undertowRequestFailed

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via UndertowLogger.REQUEST_LOGGER.undertowRequestFailed of Undertow, in order to obtain sensitive information.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 11/06/2019.
Identifiers: CVE-2019-3888, RHSA-2019:1419-01, RHSA-2019:1420-01, RHSA-2019:1421-01, RHSA-2019:1424-01, RHSA-2019:1456-01, VIGILANCE-VUL-29492.

Description of the vulnerability

An attacker can bypass access restrictions to data via UndertowLogger.REQUEST_LOGGER.undertowRequestFailed of Undertow, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2019-3894

Red Hat JBoss Enterprise Application Platform, WildFly: privilege escalation via ElytronManagedThread

Synthesis of the vulnerability

An attacker can bypass restrictions via ElytronManagedThread of Red Hat JBoss Enterprise Application Platform, in order to escalate his privileges.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO, WildFly.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet server.
Creation date: 06/05/2019.
Identifiers: CVE-2019-3894, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-29228.

Description of the vulnerability

An attacker can bypass restrictions via ElytronManagedThread of Red Hat JBoss Enterprise Application Platform, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2019-3805

WildFly: privilege escalation via PID File

Synthesis of the vulnerability

An attacker can bypass restrictions via PID File of WildFly, in order to escalate his privileges.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO, WildFly.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server.
Provenance: user shell.
Creation date: 06/05/2019.
Identifiers: CVE-2019-3805, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-29227.

Description of the vulnerability

An attacker can bypass restrictions via PID File of WildFly, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2019-3868

Red Hat Single Sign-On: privilege escalation

Synthesis of the vulnerability

An attacker can bypass restrictions of Red Hat Single Sign-On, in order to escalate his privileges.
Impacted products: RHEL, Red Hat SSO.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: internet client.
Creation date: 24/04/2019.
Identifiers: CVE-2019-3868, RHSA-2019:0856-01, RHSA-2019:0857-01, RHSA-2019:1140-01, VIGILANCE-VUL-29121.

Description of the vulnerability

An attacker can bypass restrictions of Red Hat Single Sign-On, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-10909 CVE-2019-11358

jQuery, Symfony: Cross Site Scripting via templates

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, Drupal Core, Fedora, Grafana, IBM API Connect, Joomla Extensions ~ not comprehensive, Red Hat SSO, Symfony, Synology DSM, TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/04/2019.
Identifiers: CERTFR-2019-AVI-180, CVE-2019-10909, CVE-2019-11358, DLA-1777-1, DLA-1777-2, DLA-1778-1, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4434-1, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, RHSA-2019:1456-01, Synology-SA-19:19, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-29070.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via templates for Symfony, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-11358

jQuery Core: privilege escalation via Object.prototype Pollution

Synthesis of the vulnerability

An attacker can bypass restrictions via Object.prototype Pollution of jQuery Core, in order to escalate his privileges.
Impacted products: Debian, Drupal Core, eZ Platform, Fedora, jQuery Core, Oracle Communications, WebLogic, Red Hat SSO, Synology DSM, Telerik.Web.UI.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: document.
Creation date: 11/04/2019.
Identifiers: cpujul2019, CVE-2019-11358, DLA-1797-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4460-1, EZSA-2019-005, FEDORA-2019-2a0ce0c58c, FEDORA-2019-a06dffab1c, FEDORA-2019-f563e66380, RHSA-2019:1456-01, Synology-SA-19:19, VIGILANCE-VUL-29030.

Description of the vulnerability

An attacker can bypass restrictions via Object.prototype Pollution of jQuery Core, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-8331

Pivotal Ops Manager: Cross Site Scripting via Bootstrap

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via Bootstrap of Pivotal Ops Manager, in order to run JavaScript code in the context of the web site.
Impacted products: IBM API Connect, Red Hat SSO, TYPO3 Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 08/03/2019.
Identifiers: CVE-2019-8331, ibm10879483, RHSA-2019:1456-01, TYPO3-CORE-SA-2019-009, TYPO3-CORE-SA-2019-010, TYPO3-CORE-SA-2019-011, TYPO3-CORE-SA-2019-012, TYPO3-CORE-SA-2019-013, TYPO3-PSA-2019-004, TYPO3-PSA-2019-005, TYPO3-PSA-2019-006, VIGILANCE-VUL-28700.

Description of the vulnerability

The Pivotal Ops Manager product offers a web service.

However, it does not filter received data via Bootstrap before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via Bootstrap of Pivotal Ops Manager, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-11307

jackson-databind: information disclosure via Default Typing

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Default Typing of jackson-databind, in order to obtain sensitive information.
Impacted products: Debian, Oracle Communications, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 04/03/2019.
Identifiers: cpujan2019, cpujul2019, CVE-2018-11307, DLA-1703-1, DSA-4452-1, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28642.

Description of the vulnerability

An attacker can bypass access restrictions to data via Default Typing of jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-14720

jackson-databind: external XML entity injection via JDK Classes

Synthesis of the vulnerability

An attacker can transmit malicious XML data via JDK Classes to jackson-databind, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Fusion Middleware, Tuxedo, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: cpuapr2019, cpujan2019, CVE-2018-14720, DLA-1703-1, DSA-4452-1, FEDORA-2019-df57551f6d, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28548.

Description of the vulnerability

An attacker can transmit malicious XML data via JDK Classes to jackson-databind, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-14721

jackson-databind: information disclosure via axis2-jaxws SSRF

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via axis2-jaxws SSRF of jackson-databind, in order to obtain sensitive information.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Fusion Middleware, Tuxedo, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: cpuapr2019, cpujan2019, CVE-2018-14721, DLA-1703-1, DSA-4452-1, FEDORA-2019-df57551f6d, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28547.

Description of the vulnerability

An attacker can bypass access restrictions to data via axis2-jaxws SSRF of jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Red Hat Single Sign-On: