The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Red Hat Single Sign-On

vulnerability announce CVE-2018-11307

jackson-databind: information disclosure via Default Typing

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Default Typing of jackson-databind, in order to obtain sensitive information.
Impacted products: Debian, Oracle Communications, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 04/03/2019.
Identifiers: cpujan2019, CVE-2018-11307, DLA-1703-1, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28642.

Description of the vulnerability

An attacker can bypass access restrictions to data via Default Typing of jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-14720

jackson-databind: external XML entity injection via JDK Classes

Synthesis of the vulnerability

An attacker can transmit malicious XML data via JDK Classes to jackson-databind, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Fusion Middleware, Tuxedo, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: cpuapr2019, cpujan2019, CVE-2018-14720, DLA-1703-1, FEDORA-2019-df57551f6d, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28548.

Description of the vulnerability

An attacker can transmit malicious XML data via JDK Classes to jackson-databind, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-14721

jackson-databind: information disclosure via axis2-jaxws SSRF

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via axis2-jaxws SSRF of jackson-databind, in order to obtain sensitive information.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Fusion Middleware, Tuxedo, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: cpuapr2019, cpujan2019, CVE-2018-14721, DLA-1703-1, FEDORA-2019-df57551f6d, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28547.

Description of the vulnerability

An attacker can bypass access restrictions to data via axis2-jaxws SSRF of jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-14642

Undertow: information disclosure via ByteBuffer Flushing

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via ByteBuffer Flushing of Undertow, in order to obtain sensitive information.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 19/02/2019.
Identifiers: CVE-2018-14642, RHBUG-1628702, RHSA-2019:0362-01, RHSA-2019:0364-01, RHSA-2019:0365-01, RHSA-2019:0380-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28539.

Description of the vulnerability

An attacker can bypass access restrictions to data via ByteBuffer Flushing of Undertow, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-10934

WildFly: Cross Site Scripting via JBoss Management Console

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via JBoss Management Console of WildFly, in order to run JavaScript code in the context of the web site.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO, WildFly.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: CVE-2018-10934, RHBUG-1615673, RHSA-2019:0362-01, RHSA-2019:0364-01, RHSA-2019:0365-01, RHSA-2019:0380-01, RHSA-2019:1159-01, RHSA-2019:1160-01, RHSA-2019:1161-01, RHSA-2019:1162-01, VIGILANCE-VUL-28538.

Description of the vulnerability

The WildFly product offers a web service.

However, it does not filter received data via JBoss Management Console before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via JBoss Management Console of WildFly, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-14658

Keycloak: open redirect via org.keycloak.protocol.oidc.utils.RedirectUtils

Synthesis of the vulnerability

An attacker can deceive the user via org.keycloak.protocol.oidc.utils.RedirectUtils of Keycloak, in order to redirect him to a malicious site.
Impacted products: Red Hat SSO.
Severity: 1/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Creation date: 14/11/2018.
Identifiers: CVE-2018-14658, RHSA-2018:3592-01, RHSA-2018:3593-01, RHSA-2018:3595-01, VIGILANCE-VUL-27779.

Description of the vulnerability

An attacker can deceive the user via org.keycloak.protocol.oidc.utils.RedirectUtils of Keycloak, in order to redirect him to a malicious site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-14657

Keycloak: privilege escalation via TOPT Brute Force

Synthesis of the vulnerability

An attacker can bypass restrictions via TOPT Brute Force of Keycloak, in order to escalate his privileges.
Impacted products: Red Hat SSO.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 14/11/2018.
Identifiers: CVE-2018-14657, RHSA-2018:3592-01, RHSA-2018:3593-01, RHSA-2018:3595-01, VIGILANCE-VUL-27778.

Description of the vulnerability

An attacker can bypass restrictions via TOPT Brute Force of Keycloak, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-1000632

dom4j: external XML entity injection via XML Injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data via XML Injection to dom4j, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Debian, openSUSE Leap, JBoss EAP by Red Hat, Red Hat SSO, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 25/09/2018.
Identifiers: CVE-2018-1000632, DLA-1517-1, openSUSE-SU-2018:2931-1, openSUSE-SU-2018:3998-1, openSUSE-SU-2018:4045-1, RHSA-2019:0362-01, RHSA-2019:0364-01, RHSA-2019:0365-01, RHSA-2019:0380-01, RHSA-2019:1159-01, RHSA-2019:1160-01, RHSA-2019:1161-01, RHSA-2019:1162-01, SUSE-SU-2018:3424-1, SUSE-SU-2018:3908-1, VIGILANCE-VUL-27312.

Description of the vulnerability

An attacker can transmit malicious XML data via XML Injection to dom4j, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-14627

WildFly: information disclosure via IIOP SSL Required

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via IIOP SSL Required of WildFly, in order to obtain sensitive information.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO, WildFly.
Severity: 2/4.
Consequences: data reading.
Provenance: LAN.
Creation date: 05/09/2018.
Identifiers: CVE-2018-14627, RHSA-2018:3527-01, RHSA-2018:3528-01, RHSA-2018:3529-01, RHSA-2018:3592-01, RHSA-2018:3593-01, RHSA-2018:3595-01, VIGILANCE-VUL-27147, WFLY-9107.

Description of the vulnerability

An attacker can bypass access restrictions to data via IIOP SSL Required of WildFly, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Red Hat Single Sign-On: