VulnerableCode Package Details - pkg:rpm/redhat/eap8-elytron-web@4.0.1-1.Final_redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-9p6a-t8zz-jkfd Aliases: CVE-2024-1233 GHSA-v4mm-q8fv-r2w5	WildFly Elytron: SSRF security issue A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.	There are no reported fixed by versions.
VCID-etqf-v4yp-4fdu Aliases: CVE-2023-6236 GHSA-jpmx-996v-48fm	WildFly Elytron: OIDC app attempting to access the second tenant, the user should be prompted to log A flaw was found in JBoss EAP. When an OIDC app that serves multiple tenants attempts to access the second tenant, it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying issue is in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option.	There are no reported fixed by versions.
VCID-vf46-vrr9-k7c6 Aliases: CVE-2023-4503	eap-galleon: custom provisioning creates unsecured http-invoker	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-9p6a-t8zz-jkfd
Aliases:
CVE-2024-1233
GHSA-v4mm-q8fv-r2w5

WildFly Elytron: SSRF security issue A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.

There are no reported fixed by versions.

VCID-etqf-v4yp-4fdu
Aliases:
CVE-2023-6236
GHSA-jpmx-996v-48fm

WildFly Elytron: OIDC app attempting to access the second tenant, the user should be prompted to log A flaw was found in JBoss EAP. When an OIDC app that serves multiple tenants attempts to access the second tenant, it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying issue is in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option.

There are no reported fixed by versions.

VCID-vf46-vrr9-k7c6
Aliases:
CVE-2023-4503

eap-galleon: custom provisioning creates unsecured http-invoker

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:51:00.245211+00:00	RedHat Importer	Affected by	VCID-vf46-vrr9-k7c6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-4503.json	38.0.0
2026-04-01T13:48:43.556421+00:00	RedHat Importer	Affected by	VCID-9p6a-t8zz-jkfd	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-1233.json	38.0.0
2026-04-01T13:48:42.994050+00:00	RedHat Importer	Affected by	VCID-etqf-v4yp-4fdu	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6236.json	38.0.0