Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9
🔗 CVE IDs covered (31)
📋 Description
CVE-2018-14040 — bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute CVE-2018-14042 — bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip CVE-2019-11358 — jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection CVE-2020-11022 — jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method CVE-2020-11023 — jquery: Untrusted code execution via tag in HTML passed to DOM manipulation methods CVE-2021-35065 — glob-parent: Regular Expression Denial of Service CVE-2021-44906 — minimist: prototype pollution CVE-2022-1274 — keycloak: HTML injection in execute-actions-email Admin REST API CVE-2022-1438 — keycloak: XSS on impersonation under specific circumstances CVE-2022-1471 — SnakeYaml: Constructor Deserialization Remote Code Execution CVE-2022-2764 — Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations CVE-2022-3916 — keycloak: Session takeover with OIDC offline refreshtokens CVE-2022-4137 — keycloak: reflected XSS attack CVE-2022-24785 — Moment.js: Path traversal in moment.locale CVE-2022-25857 — snakeyaml: Denial of Service due to missing nested depth limitation for collections CVE-2022-31129 — moment: inefficient parsing algorithm resulting in DoS CVE-2022-37603 — loader-utils: Regular expression denial of service CVE-2022-38749 — snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode CVE-2022-38750 — snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject CVE-2022-38751 — snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match CVE-2022-40149 — jettison: parser crash by stackoverflow CVE-2022-40150 — jettison: memory exhaustion via user-supplied XML or JSON data CVE-2022-42003 — jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS CVE-2022-42004 — jackson-databind: use of deeply nested arrays CVE-2022-45047 — mina-sshd: Java unsafe deserialization vulnerability CVE-2022-45693 — jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos CVE-2022-46175 — json5: Prototype Pollution in JSON5 via Parse Method CVE-2022-46363 — CXF: directory listing / code exfiltration CVE-2022-46364 — CXF: SSRF Vulnerability CVE-2023-0091 — keycloak: Client Registration endpoint does not check token revocation CVE-2023-0264 — keycloak: user impersonation via stolen uuid code
🔗 References (34)
- selfhttps://access.redhat.com/errata/RHSA-2023:1045
- externalhttps://access.redhat.com/security/updates/classification/#important
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1601614
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1601617
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1701972
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1828406
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2031904
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2066009
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2072009
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2073157
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2105075
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2117506
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2126789
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2129706
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2129707
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2129709
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2135244
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2135247
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2135770
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2135771
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2138971
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2140597
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2141404
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2145194
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2148496
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2150009
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2155681
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2155682
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2155970
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2156263
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2156324
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2158585
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=2160585
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1045.json