Filtered by vendor Redhat
Subscriptions
Total
22981 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-1733 | 3 Debian, Fedoraproject, Redhat | 7 Debian Linux, Fedora, Ansible and 4 more | 2024-11-21 | 5 Medium |
| A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'. | ||||
| CVE-2020-1732 | 1 Redhat | 5 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd, Jboss Enterprise Application Platform Continuous Delivery and 2 more | 2024-11-21 | 4.2 Medium |
| A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request. | ||||
| CVE-2020-1731 | 1 Redhat | 1 Keycloak Operator | 2024-11-21 | 9.1 Critical |
| A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace. | ||||
| CVE-2020-1730 | 6 Canonical, Fedoraproject, Libssh and 3 more | 7 Ubuntu Linux, Fedora, Libssh and 4 more | 2024-11-21 | 5.3 Medium |
| A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in the way it handled AES-CTR (or DES ciphers if enabled) ciphers. The server or client could crash when the connection hasn't been fully initialized and the system tries to cleanup the ciphers when closing the connection. The biggest threat from this vulnerability is system availability. | ||||
| CVE-2020-1729 | 1 Redhat | 3 Jboss Enterprise Application Platform, Openshift Application Runtimes, Smallrye Config | 2024-11-21 | 4.4 Medium |
| A flaw was found in SmallRye's API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied. The largest threat from this vulnerability is a threat to data confidentiality. This is fixed in SmallRye 1.6.2 | ||||
| CVE-2020-1728 | 2 Quarkus, Redhat | 5 Quarkus, Jboss Single Sign On, Keycloak and 2 more | 2024-11-21 | 4.8 Medium |
| A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors. | ||||
| CVE-2020-1727 | 1 Redhat | 3 Keycloak, Openshift Application Runtimes, Red Hat Single Sign On | 2024-11-21 | 6.4 Medium |
| A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. This flaw allows a malicious to craft deep links that introduce further attack scenarios on affected clients. | ||||
| CVE-2020-1726 | 2 Libpod Project, Redhat | 4 Libpod, Enterprise Linux, Openshift and 1 more | 2024-11-21 | 5.9 Medium |
| A flaw was discovered in Podman where it incorrectly allows containers when created to overwrite existing files in volumes, even if they are mounted as read-only. When a user runs a malicious container or a container based on a malicious image with an attached volume that is used for the first time, it is possible to trigger the flaw and overwrite files in the volume.This issue was introduced in version 1.6.0. | ||||
| CVE-2020-1725 | 1 Redhat | 1 Keycloak | 2024-11-21 | 5.4 Medium |
| A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. | ||||
| CVE-2020-1724 | 1 Redhat | 5 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 2 more | 2024-11-21 | 4.3 Medium |
| A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section. | ||||
| CVE-2020-1723 | 2 Keycloak Gatekeeper Project, Redhat | 2 Keycloak Gatekeeper, Mobile Application Platform | 2024-11-21 | 6.1 Medium |
| A flaw was found in Keycloak Gatekeeper (Louketo). The logout endpoint can be abused to redirect logged-in users to arbitrary web pages. Affected versions of Keycloak Gatekeeper (Louketo): 6.0.1, 7.0.0 | ||||
| CVE-2020-1722 | 2 Freeipa, Redhat | 2 Freeipa, Enterprise Linux | 2024-11-21 | 5.3 Medium |
| A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending a very long password (>= 1,000,000 characters) to the server, the password hashing process could exhaust memory and CPU leading to a denial of service and the website becoming unresponsive. The highest threat from this vulnerability is to system availability. | ||||
| CVE-2020-1721 | 2 Dogtagpki, Redhat | 3 Dogtagpki, Enterprise Linux, Rhel Eus | 2024-11-21 | 6.1 Medium |
| A flaw was found in the Key Recovery Authority (KRA) Agent Service in pki-core 10.10.5 where it did not properly sanitize the recovery ID during a key recovery request, enabling a reflected cross-site scripting (XSS) vulnerability. An attacker could trick an authenticated victim into executing specially crafted Javascript code. | ||||
| CVE-2020-1720 | 2 Postgresql, Redhat | 8 Postgresql, Decision Manager, Enterprise Linux and 5 more | 2024-11-21 | 3.1 Low |
| A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17. | ||||
| CVE-2020-1719 | 1 Redhat | 7 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd and 4 more | 2024-11-21 | 5.4 Medium |
| A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected. | ||||
| CVE-2020-1718 | 1 Redhat | 7 Jboss Enterprise Bpms Platform, Jboss Enterprise Brms Platform, Jboss Fuse and 4 more | 2024-11-21 | 7.1 High |
| A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application. | ||||
| CVE-2020-1717 | 1 Redhat | 4 Jboss Fuse, Keycloak, Openshift Application Runtimes and 1 more | 2024-11-21 | 2.7 Low |
| A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. | ||||
| CVE-2020-1716 | 2 Ceph, Redhat | 2 Ceph-ansible, Ceph Storage | 2024-11-21 | 8.8 High |
| A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph services. Any authenticated attacker can abuse this flaw to brute-force Ceph deployments, and gain administrator access to Ceph clusters via the Ceph dashboard to initiate read, write, and delete Ceph clusters and also modify Ceph cluster configurations. Versions before ceph-ansible 6.0.0alpha1 are affected. | ||||
| CVE-2020-1714 | 2 Quarkus, Redhat | 11 Quarkus, Decision Manager, Jboss Enterprise Application Platform and 8 more | 2024-11-21 | 8.8 High |
| A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. | ||||
| CVE-2020-1711 | 4 Debian, Opensuse, Qemu and 1 more | 9 Debian Linux, Leap, Qemu and 6 more | 2024-11-21 | 7.7 High |
| An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. | ||||