SB20240417152 - Multiple vulnerabilities in Red Hat Single Sign-On 7.6

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20240417152

SB20240417152 - Multiple vulnerabilities in Red Hat Single Sign-On 7.6

Published: April 17, 2024

Security Bulletin ID SB20240417152
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Improper Output Neutralization for Logs (CVE-ID: CVE-2023-6484)

The vulnerability allows a remote attacker to manipulate data in log files.

The vulnerability exists due to improper input validation during WebAuthn authentication or registration. A remote attacker can manipulate data in log files when using the WebAuthn authentication mode.


2) Integer overflow (CVE-ID: CVE-2021-43618)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in mpz/inp_raw.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.


3) Expected behavior violation (CVE-ID: CVE-2023-28322)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a logic error when sending HTTP POST and PUT requests using the same handle. The libcurl can erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. As a result, the application can misbehave and either send off the wrong data or use memory after free or similar in the second transfer.


4) External control of file name or path (CVE-ID: CVE-2023-38546)

The vulnerability allows an attacker to inject arbitrary cookies into request.

The vulnerability exists due to the way cookies are handled by libcurl. If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl.

5) Information disclosure (CVE-ID: CVE-2023-46218)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error in curl that allows a malicious HTTP server to set "super cookies" that are then passed back to more origins than what is otherwise allowed or possible. A remote attacker can force curl to send such cookie to different and unrelated sites and domains.


Remediation

Install update from vendor's website.

References