SB20240417148 - Multiple vulnerabilities in Red Hat Single Sign-On 7.6
Published: April 17, 2024 Updated: August 23, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) Improper authorization (CVE-ID: CVE-2023-6544)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to a permissive regular expression hard-coded for filtering allowed hosts to register a dynamic client within the org.keycloak.services.clientregistration package. A remote attacker with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized.
2) Improper Output Neutralization for Logs (CVE-ID: CVE-2023-6484)
The vulnerability allows a remote attacker to manipulate data in log files.
The vulnerability exists due to improper input validation during WebAuthn authentication or registration. A remote attacker can manipulate data in log files when using the WebAuthn authentication mode.
3) Path traversal (CVE-ID: CVE-2024-1132)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to improper validation of URLs included in a redirect in org.keycloak.protocol.oidc. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
Note, the vulnerability affects any client that utilizes a wildcard in the Valid Redirect URIs field.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2024-1249)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to "checkLoginIframe" allows unvalidated cross-origin messages. A remote attacker can send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
5) Resource exhaustion (CVE-ID: CVE-2024-1635)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling rapidly open and closed HTTP connections. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
6) Integer overflow (CVE-ID: CVE-2021-43618)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in mpz/inp_raw.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.
7) Resource exhaustion (CVE-ID: CVE-2023-4408)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing DNS messages. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
8) Expected behavior violation (CVE-ID: CVE-2023-28322)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a logic error when sending HTTP POST and PUT requests using the same handle. The libcurl can erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. As a result, the application can misbehave and either send off the wrong data or use memory after free or similar in the second transfer.
9) External control of file name or path (CVE-ID: CVE-2023-38546)
The vulnerability allows an attacker to inject arbitrary cookies into request.
The vulnerability exists due to the way cookies are handled by libcurl. If a transfer has cookies enabled when the handle is duplicated, the
cookie-enable state is also cloned - but without cloning the actual
cookies. If the source handle did not read any cookies from a specific
file on disk, the cloned version of the handle would instead store the
file name as none (using the four ASCII letters, no quotes).
none - if such a file exists and is readable in the current directory of the program using libcurl. 10) Information disclosure (CVE-ID: CVE-2023-46218)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in curl that allows a malicious HTTP server to set "super cookies" that are then passed back to more origins than what is otherwise allowed or possible. A remote attacker can force curl to send such cookie to different and unrelated sites and domains.
11) Resource exhaustion (CVE-ID: CVE-2023-50387)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing DNSSEC related records. A remote attacker can trigger resource exhaustion by forcing the DNS server to query a specially crafted DNSSEC zone and perform a denial of service (DoS) attack.
12) Resource exhaustion (CVE-ID: CVE-2023-50868)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing DNSSEC related records. A remote attacker can trigger resource exhaustion by forcing the DNS server to query a specially crafted DNSSEC zone and perform a denial of service (DoS) attack.
13) Resource exhaustion (CVE-ID: CVE-2023-52425)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing large tokens. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
14) Cryptographic issues (CVE-ID: CVE-2024-28834)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to a side-channel attack when using the gnutls_privkey_sign_data2 API function with the "GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE" flag. A remote attacker can launch Minerva attack and gain access to sensitive information.
Remediation
Install update from vendor's website.