VulnerableCode Package Details - pkg:rpm/redhat/eap8-apache-commons-codec@1.16.1-2.redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-d6ku-ys87-cqh4 Aliases: CVE-2024-8883 GHSA-w8gr-xwp4-r9f7	Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost/ or http://127.0.0.1/, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.	There are no reported fixed by versions.
VCID-ftf5-r1db-9qfq Aliases: CVE-2024-4029 GHSA-x7g6-rwhc-g7mj	Wildfly vulnerable to denial of service A vulnerability was found in Wildfly’s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections.	There are no reported fixed by versions.
VCID-k3hu-vqn3-yuaj Aliases: CVE-2024-41172 GHSA-4mgg-fqfq-64hg	Apache CXF allows unrestricted memory consumption in CXF HTTP clients In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory	There are no reported fixed by versions.
VCID-rfs8-njaq-qkc8 Aliases: CVE-2022-34169 GHSA-9339-86wc-4qgf	Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. A fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release.	There are no reported fixed by versions.
VCID-w663-rgr4-ekdg Aliases: CVE-2023-52428 GHSA-gvpg-vgmx-xg6w	Denial of Service in Connect2id Nimbus JOSE+JWT In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.	There are no reported fixed by versions.
VCID-z76m-nbap-v7ab Aliases: CVE-2024-8698 GHSA-xgfv-xpx8-qhcr	Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-d6ku-ys87-cqh4
Aliases:
CVE-2024-8883
GHSA-w8gr-xwp4-r9f7

Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost/ or http://127.0.0.1/, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking.