Redhat Openshift Application Runtimes — known CVE vulnerabilities
Every CVE whose affected-product data names Redhat Openshift Application Runtimes, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (33)
CVE-2019-10212 — CVSS 9.8 (critical): A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this…
CVE-2019-3888 — CVSS 9.8 (critical): A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because…
CVE-2019-14887 — CVSS 9.1 (critical): A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't…
CVE-2020-1714 — CVSS 8.8 (high): A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw…
CVE-2019-10174 — CVSS 8.8 (high): A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application…
CVE-2020-1757 — CVSS 8.1 (high): A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to…
CVE-2023-1108 — CVSS 7.5 (high): A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in…
CVE-2019-10184 — CVSS 7.5 (high): undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted…
CVE-2020-10705 — CVSS 7.5 (high): A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may…
CVE-2020-10758 — CVSS 7.5 (high): A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified…
CVE-2020-25644 — CVSS 7.5 (high): A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the…
CVE-2020-27782 — CVSS 7.5 (high): A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using…
CVE-2021-3690 — CVSS 7.5 (high): A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an…
CVE-2021-4104 — CVSS 7.5 (high): JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration…
CVE-2022-1259 — CVSS 7.5 (high): A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial…
CVE-2022-1319 — CVSS 7.5 (high): A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse…
CVE-2020-1718 — CVSS 7.1 (high): A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized…
CVE-2021-4178 — CVSS 6.7 (medium): A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly…
CVE-2020-14307 — CVSS 6.5 (medium): A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations…
CVE-2020-14297 — CVSS 6.5 (medium): A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get…
CVE-2020-10719 — CVSS 6.5 (medium): A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This…
CVE-2020-14299 — CVSS 6.5 (medium): A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy…
CVE-2020-10688 — CVSS 6.1 (medium): A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly…
CVE-2019-10219 — CVSS 6.1 (medium): A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of…
CVE-2021-3914 — CVSS 6.1 (medium): It was found that the smallrye health metrics UI component did not properly sanitize some user inputs. An attacker could use this flaw to…
CVE-2021-3597 — CVSS 5.9 (medium): A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of…
CVE-2020-25689 — CVSS 5.3 (medium): A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating…
CVE-2021-3642 — CVSS 5.3 (medium): A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer…
CVE-2020-1710 — CVSS 5.3 (medium): The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a…
CVE-2020-1724 — CVSS 4.3 (medium): A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal…
CVE-2020-1732 — CVSS 4.2 (medium): A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption…
CVE-2020-10734 — CVSS 3.3 (low): A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat…
CVE-2020-1717 — CVSS 2.7 (low): A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.