Vulnerability report for Docker jboss/keycloak:16.1.0

Vulnerabilities	887 via 887 paths
Dependencies	143
Source	Docker
Target OS	rhel:8.5

Test your Docker Hub image against our market leading vulnerability database Sign up for free

Severity

Critical
High
172
Medium
496
Low
219

Status

Open
887
Patched
0
Ignored
0

high severity

Inappropriate Encoding for Output Context

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Inappropriate Encoding for Output Context vulnerability report

high severity

Incorrect Behavior Order: Early Validation

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Incorrect Behavior Order: Early Validation vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Integer Overflow or Wraparound vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Integer Overflow or Wraparound vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Integer Overflow or Wraparound vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Out-of-bounds Write vulnerability report

high severity

Use After Free

Vulnerable module: systemd-libs
Introduced through: systemd-libs@239-51.el8_5.3
Fixed in: 0:239-58.el8_6.4

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › systemd-libs@239-51.el8_5.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd-libs package and not the systemd-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later.

Remediation

Upgrade RHEL:8 systemd-libs to version 0:239-58.el8_6.4 or higher.
This issue was patched in RHSA-2022:6206.

References

Use After Free vulnerability report

high severity

Expired Pointer Dereference

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-21.el8_10.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

Note: Versions mentioned in the description apply only to the upstream libxml2 package and not the libxml2 package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-21.el8_10.1 or higher.
This issue was patched in RHSA-2025:10698.

References

Expired Pointer Dereference vulnerability report

high severity

Out-of-bounds Read

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-21.el8_10.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-21.el8_10.1 or higher.
This issue was patched in RHSA-2025:10698.

References

Out-of-bounds Read vulnerability report

high severity

Improper Validation of Integrity Check Value

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8
Fixed in: 0:1.18.2-30.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream krb5-libs package and not the krb5-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

RADIUS Protocol under RFC 2865 is susceptible to forgery attacks by a local attacker who can modify any valid Response (Access-Accept, Access-Reject, or Access-Challenge) to any other response using a chosen-prefix collision attack against MD5 Response Authenticator signature.

Remediation

Upgrade RHEL:8 krb5-libs to version 0:1.18.2-30.el8_10 or higher.
This issue was patched in RHSA-2024:8860.

References

Improper Validation of Integrity Check Value vulnerability report

high severity

SQL Injection

Vulnerable module: cyrus-sasl-lib
Introduced through: cyrus-sasl-lib@2.1.27-5.el8
Fixed in: 0:2.1.27-6.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cyrus-sasl-lib@2.1.27-5.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream cyrus-sasl-lib package and not the cyrus-sasl-lib package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement.

Remediation

Upgrade RHEL:8 cyrus-sasl-lib to version 0:2.1.27-6.el8_5 or higher.
This issue was patched in RHSA-2022:0658.

References

SQL Injection vulnerability report

high severity

Incorrect Bitwise Shift of Integer

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Incorrect Bitwise Shift of Integer vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Integer Overflow or Wraparound vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Integer Overflow or Wraparound vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

The iconv() function in the GNU C Library versions 2.39 and older may overflow the output buffer passed to it by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set, which may be used to crash an application or overwrite a neighbouring variable.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.1 or higher.
This issue was patched in RHSA-2024:3269.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-common package and not the glibc-common package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.1 or higher.
This issue was patched in RHSA-2024:3269.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-langpack-en package and not the glibc-langpack-en package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.1 or higher.
This issue was patched in RHSA-2024:3269.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc-minimal-langpack package and not the glibc-minimal-langpack package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.1 or higher.
This issue was patched in RHSA-2024:3269.

References

Out-of-bounds Write vulnerability report

high severity

External Control of File Name or Path

Vulnerable module: gzip
Introduced through: gzip@1.9-12.el8
Fixed in: 0:1.9-13.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gzip@1.9-12.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream gzip package and not the gzip package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system.

Remediation

Upgrade RHEL:8 gzip to version 0:1.9-13.el8_5 or higher.
This issue was patched in RHSA-2022:1537.

References

External Control of File Name or Path vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8
Fixed in: 0:1.18.2-22.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

Remediation

Upgrade RHEL:8 krb5-libs to version 0:1.18.2-22.el8_7 or higher.
This issue was patched in RHSA-2022:8638.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-Bounds

Vulnerable module: nss
Introduced through: nss@3.67.0-7.el8_5
Fixed in: 0:3.79.0-11.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss@3.67.0-7.el8_5

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss package and not the nss package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

An attacker could construct a PKCS 12 cert bundle in such a way that could allow for arbitrary memory writes via PKCS 12 Safe Bag attributes being mishandled. This vulnerability affects Firefox < 110, Thunderbird < 102.8, and Firefox ESR < 102.8.

Remediation

Upgrade RHEL:8 nss to version 0:3.79.0-11.el8_7 or higher.
This issue was patched in RHSA-2023:1252.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

Vulnerable module: nss-softokn
Introduced through: nss-softokn@3.67.0-7.el8_5
Fixed in: 0:3.79.0-11.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn@3.67.0-7.el8_5

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-softokn package and not the nss-softokn package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 nss-softokn to version 0:3.79.0-11.el8_7 or higher.
This issue was patched in RHSA-2023:1252.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

Vulnerable module: nss-softokn-freebl
Introduced through: nss-softokn-freebl@3.67.0-7.el8_5
Fixed in: 0:3.79.0-11.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn-freebl@3.67.0-7.el8_5

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-softokn-freebl package and not the nss-softokn-freebl package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 nss-softokn-freebl to version 0:3.79.0-11.el8_7 or higher.
This issue was patched in RHSA-2023:1252.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

Vulnerable module: nss-sysinit
Introduced through: nss-sysinit@3.67.0-7.el8_5
Fixed in: 0:3.79.0-11.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-sysinit@3.67.0-7.el8_5

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-sysinit package and not the nss-sysinit package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 nss-sysinit to version 0:3.79.0-11.el8_7 or higher.
This issue was patched in RHSA-2023:1252.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

Vulnerable module: nss-util
Introduced through: nss-util@3.67.0-7.el8_5
Fixed in: 0:3.79.0-11.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-util@3.67.0-7.el8_5

NVD Description

Note: Versions mentioned in the description apply only to the upstream nss-util package and not the nss-util package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 nss-util to version 0:3.79.0-11.el8_7 or higher.
This issue was patched in RHSA-2023:1252.

References

Out-of-Bounds vulnerability report

high severity

Arbitrary Code Injection

Vulnerable module: platform-python-setuptools
Introduced through: platform-python-setuptools@39.2.0-6.el8
Fixed in: 0:39.2.0-8.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python-setuptools@39.2.0-6.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream platform-python-setuptools package and not the platform-python-setuptools package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Remediation

Upgrade RHEL:8 platform-python-setuptools to version 0:39.2.0-8.el8_10 or higher.
This issue was patched in RHSA-2024:5530.

References

Arbitrary Code Injection vulnerability report

high severity

Arbitrary Code Injection

Vulnerable module: python3-setuptools-wheel
Introduced through: python3-setuptools-wheel@39.2.0-6.el8
Fixed in: 0:39.2.0-8.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-setuptools-wheel@39.2.0-6.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3-setuptools-wheel package and not the python3-setuptools-wheel package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 python3-setuptools-wheel to version 0:39.2.0-8.el8_10 or higher.
This issue was patched in RHSA-2024:5530.

References

Arbitrary Code Injection vulnerability report

high severity

External Control of File Name or Path

Vulnerable module: xz-libs
Introduced through: xz-libs@5.2.4-3.el8
Fixed in: 0:5.2.4-4.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › xz-libs@5.2.4-3.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream xz-libs package and not the xz-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 xz-libs to version 0:5.2.4-4.el8_6 or higher.
This issue was patched in RHSA-2022:4991.

References

External Control of File Name or Path vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: libksba
Introduced through: libksba@1.3.5-7.el8
Fixed in: 0:1.3.5-8.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libksba@1.3.5-7.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libksba package and not the libksba package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment.

Remediation

Upgrade RHEL:8 libksba to version 0:1.3.5-8.el8_6 or higher.
This issue was patched in RHSA-2022:7089.

References

Integer Overflow or Wraparound vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: libksba
Introduced through: libksba@1.3.5-7.el8
Fixed in: 0:1.3.5-9.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libksba@1.3.5-7.el8

NVD Description

Libksba before 1.6.3 is prone to an integer overflow vulnerability in the CRL signature parser.

Remediation

Upgrade RHEL:8 libksba to version 0:1.3.5-9.el8_7 or higher.
This issue was patched in RHSA-2023:0625.

References

Integer Overflow or Wraparound vulnerability report

high severity

Authentication Bypass by Primary Weakness

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-51.el8_8.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream platform-python package and not the platform-python package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-51.el8_8.2 or higher.
This issue was patched in RHSA-2023:5997.

References

Authentication Bypass by Primary Weakness vulnerability report

high severity

Authentication Bypass by Primary Weakness

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-51.el8_8.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3-libs package and not the python3-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-51.el8_8.2 or higher.
This issue was patched in RHSA-2023:5997.

References

Authentication Bypass by Primary Weakness vulnerability report

high severity

new

Improper Validation of Specified Quantity in Input

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls package and not the gnutls package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A flaw was found in gnutls. When validating certificates, an oversized Subject Alternative Name (SAN) could cause the validation process to incorrectly fall back to checking the Common Name (CN) field. This could allow a remote attacker to bypass proper certificate validation, potentially leading to spoofing or man-in-the-middle attacks.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

Improper Validation of Specified Quantity in Input vulnerability report

high severity

new

Improper Validation of Specified Quantity in Input

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in libgnutls. A remote attacker, by sending an extremely short premaster secret during an RSA key exchange to a server using an RSA key backed by a PKCS#11 token, could trigger a short heap overread. This memory corruption vulnerability could lead to information disclosure.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

Improper Validation of Specified Quantity in Input vulnerability report

high severity

Out-of-Bounds

Vulnerable module: zlib
Introduced through: zlib@1.2.11-17.el8
Fixed in: 0:1.2.11-18.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › zlib@1.2.11-17.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream zlib package and not the zlib package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Remediation

Upgrade RHEL:8 zlib to version 0:1.2.11-18.el8_5 or higher.
This issue was patched in RHSA-2022:1642.

References

Out-of-Bounds vulnerability report

high severity

Use After Free

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-8.el8_6.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-8.el8_6.3 or higher.
This issue was patched in RHSA-2022:6878.

References

Use After Free vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: freetype
Introduced through: freetype@2.9.1-4.el8_3.1
Fixed in: 0:2.9.1-10.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › freetype@2.9.1-4.el8_3.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream freetype package and not the freetype package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Remediation

Upgrade RHEL:8 freetype to version 0:2.9.1-10.el8_10 or higher.
This issue was patched in RHSA-2025:3421.

References

Out-of-bounds Write vulnerability report

high severity

Use After Free

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-19.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-19.el8_10 or higher.
This issue was patched in RHSA-2025:2686.

References

Use After Free vulnerability report

high severity

new

Expired Pointer Dereference

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.

Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution.

When processing a PKCS#7 or S/MIME signed message, if the SignedData digestAlgorithms field is present as an empty ASN.1 SET, OpenSSL may incorrectly free a caller-owned BIO during PKCS7_verify(). A subsequent use of the BIO by the calling application results in a use-after-free condition.

In the common case this occurs when the application later calls BIO_free() on the BIO originally passed to PKCS7_verify(). Depending on allocator behavior and application-specific BIO usage patterns, this may result in a crash or other memory corruption. In some application contexts this may potentially be exploitable for remote code execution.

Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Expired Pointer Dereference vulnerability report

high severity

new

Expired Pointer Dereference

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream openssl-libs package and not the openssl-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Issue summary: A specially crafted PKCS#7 or S/MIME signed message could trigger a use-after-free during PKCS#7 signature verification.

Impact summary: A use-after-free may result in process crashes, heap corruption, or potentially remote code execution.

Applications that process PKCS#7 or S/MIME signed messages using OpenSSL PKCS#7 APIs may be affected. Applications using the CMS APIs for this processing are not affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Expired Pointer Dereference vulnerability report

high severity

Expired Pointer Dereference

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-76.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Use-after-free (UAF) was possible in the lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile when a memory allocation fails with a MemoryError and the decompression instance is re-used. This scenario can be triggered if the process is under memory pressure. The fix cleans up the dangling pointer in this specific error condition.

The vulnerability is only present if the program re-uses decompressor instances across multiple decompression calls even after a MemoryError is raised during decompression. Using the helper functions to one-shot decompress data such as lzma.decompress(), bz2.decompress(), gzip.decompress(), and zlib.decompress() are not affected as a new decompressor instance is used per call. If the decompressor instance is not re-used after an error condition, this usage is similarly not vulnerable.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-76.el8_10 or higher.
This issue was patched in RHSA-2026:11077.

References

Expired Pointer Dereference vulnerability report

high severity

Expired Pointer Dereference

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-76.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-76.el8_10 or higher.
This issue was patched in RHSA-2026:11077.

References

Expired Pointer Dereference vulnerability report

high severity

Improper Authentication

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8
Fixed in: 1:2.2.6-63.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream cups-libs package and not the cups-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, when the AuthType is set to anything but Basic, if the request contains an Authorization: Basic ... header, the password is not checked. This results in authentication bypass. Any configuration that allows an AuthType that is not Basic is affected. Version 2.4.13 fixes the issue.

Remediation

Upgrade RHEL:8 cups-libs to version 1:2.2.6-63.el8_10 or higher.
This issue was patched in RHSA-2025:15702.

References

Improper Authentication vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-4.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-4.el8_5.3 or higher.
This issue was patched in RHSA-2022:0951.

References

Integer Overflow or Wraparound vulnerability report

high severity

Heap-based Buffer Overflow

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Heap-based Buffer Overflow vulnerability report

high severity

Heap-based Buffer Overflow

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Heap-based Buffer Overflow vulnerability report

high severity

Duplicate Operations on Resource

Vulnerable module: gnupg2
Introduced through: gnupg2@2.2.20-2.el8
Fixed in: 0:2.2.20-4.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnupg2@2.2.20-2.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

Remediation

Upgrade RHEL:8 gnupg2 to version 0:2.2.20-4.el8_10 or higher.
This issue was patched in RHSA-2026:0728.

References

Duplicate Operations on Resource vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8
Fixed in: 0:3.3.3-6.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libarchive package and not the libarchive package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.

Remediation

Upgrade RHEL:8 libarchive to version 0:3.3.3-6.el8_10 or higher.
This issue was patched in RHSA-2025:14135.

References

Integer Overflow or Wraparound vulnerability report

high severity

Stack-based Buffer Overflow

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-19.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-19.el8_10 or higher.
This issue was patched in RHSA-2025:2686.

References

Stack-based Buffer Overflow vulnerability report

high severity

Use After Free

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-21.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-21.el8_10.2 or higher.
This issue was patched in RHSA-2025:12450.

References

Use After Free vulnerability report

high severity

Symlink Following

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-62.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The tempfile.TemporaryDirectory class would dereference symlinks during cleanup of permissions-related errors. This means users which can run privileged programs are potentially able to modify permissions of files referenced by symlinks in some circumstances.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-62.el8_10 or higher.
This issue was patched in RHSA-2024:3347.

References

Symlink Following vulnerability report

high severity

Symlink Following

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-62.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

An issue was found in the CPython tempfile.TemporaryDirectory class affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-62.el8_10 or higher.
This issue was patched in RHSA-2024:3347.

References

Symlink Following vulnerability report

high severity

Numeric Truncation Error

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8
Fixed in: 0:3.26.0-20.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite-libs package and not the sqlite-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above.

Remediation

Upgrade RHEL:8 sqlite-libs to version 0:3.26.0-20.el8_10 or higher.
This issue was patched in RHSA-2025:12010.

References

Numeric Truncation Error vulnerability report

high severity

Out-of-Bounds

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

nscd: Stack-based buffer overflow in netgroup cache

If the Name Service Cache Daemon's (nscd) fixed size cache is exhausted by client requests then a subsequent client request for netgroup data may result in a stack-based buffer overflow. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

nscd: Stack-based buffer overflow in netgroup cache

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

nscd: Stack-based buffer overflow in netgroup cache

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Out-of-Bounds vulnerability report

high severity

Out-of-Bounds

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

nscd: Stack-based buffer overflow in netgroup cache

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Out-of-Bounds vulnerability report

high severity

Directory Traversal

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-70.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod) with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions don't include the extraction filter feature.

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-70.el8_10 or higher.
This issue was patched in RHSA-2025:10128.

References

Directory Traversal vulnerability report

high severity

Directory Traversal

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-70.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data".

You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information.

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-70.el8_10 or higher.
This issue was patched in RHSA-2025:10128.

References

Directory Traversal vulnerability report

high severity

Directory Traversal

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-70.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-70.el8_10 or higher.
This issue was patched in RHSA-2025:10128.

References

Directory Traversal vulnerability report

high severity

Directory Traversal

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-70.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data".

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-70.el8_10 or higher.
This issue was patched in RHSA-2025:10128.

References

Directory Traversal vulnerability report

high severity

Resource Exhaustion

Vulnerable module: brotli
Introduced through: brotli@1.0.6-3.el8
Fixed in: 0:1.0.6-4.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › brotli@1.0.6-3.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream brotli package and not the brotli package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less than 80GB of available memory. This occurs because brotli can achieve extremely high compression ratios for zero-filled data, leading to excessive memory consumption during decompression.

Remediation

Upgrade RHEL:8 brotli to version 0:1.0.6-4.el8_10 or higher.
This issue was patched in RHSA-2026:2389.

References

Resource Exhaustion vulnerability report

high severity

new

Algorithmic Complexity

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.5.0-2.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input.

Remediation

Upgrade RHEL:8 expat to version 0:2.5.0-2.el8_10 or higher.
This issue was patched in RHSA-2026:22721.

References

Algorithmic Complexity vulnerability report

high severity

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.5.0-1.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

Remediation

Upgrade RHEL:8 expat to version 0:2.5.0-1.el8_10 or higher.
This issue was patched in RHSA-2025:21776.

References

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') vulnerability report

high severity

Improper Handling of Length Parameter Inconsistency

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A heap buffer overflow vulnerability exists in the DTLS handshake fragment reassembly logic of GnuTLS. The issue arises in merge_handshake_packet() where incoming handshake fragments are matched and merged based solely on handshake type, without validating that the message_length field remains consistent across all fragments of the same logical message. An attacker can exploit this by sending crafted DTLS fragments with conflicting message_length values, causing the implementation to allocate a buffer based on a smaller initial fragment and subsequently write beyond its bounds using larger, inconsistent fragments. Because the merge operation does not enforce proper bounds checking against the allocated buffer size, this results in an out-of-bounds write on the heap. The vulnerability is remotely exploitable without authentication via the DTLS handshake path and can lead to application crashes or potential memory corruption.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

high severity

Integer Underflow

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

Integer Underflow vulnerability report

high severity

new

Undefined Behavior for Input to API

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS) packet reordering logic. The comparator function, responsible for ordering DTLS packets by sequence numbers, did not correctly handle packets with duplicate sequence numbers. This could lead to unstable packet ordering or undefined behavior, resulting in a denial of service.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

Undefined Behavior for Input to API vulnerability report

high severity

Incorrect Behavior Order: Early Validation

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.15.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Note: Versions mentioned in the description apply only to the upstream java-11-openjdk-headless package and not the java-11-openjdk-headless package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.15.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:1442.

References

Incorrect Behavior Order: Early Validation vulnerability report

high severity

Integer Coercion Error

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.16.0.8-1.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.16.0.8-1.el8_6 or higher.
This issue was patched in RHSA-2022:5683.

References

Integer Coercion Error vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8
Fixed in: 0:3.3.3-7.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.

Remediation

Upgrade RHEL:8 libarchive to version 0:3.3.3-7.el8_10 or higher.
This issue was patched in RHSA-2026:8534.

References

Integer Overflow or Wraparound vulnerability report

high severity

Out-of-bounds Read

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8
Fixed in: 0:3.3.3-7.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

Remediation

Upgrade RHEL:8 libarchive to version 0:3.3.3-7.el8_10 or higher.
This issue was patched in RHSA-2026:8534.

References

Out-of-bounds Read vulnerability report

high severity

Reachable Assertion

Vulnerable module: libnghttp2
Introduced through: libnghttp2@1.33.0-3.el8_2.1
Fixed in: 0:1.33.0-6.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libnghttp2@1.33.0-3.el8_2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libnghttp2 package and not the libnghttp2 package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API nghttp2_session_terminate_session or nghttp2_session_terminate_session2 is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.

Remediation

Upgrade RHEL:8 libnghttp2 to version 0:1.33.0-6.el8_10.2 or higher.
This issue was patched in RHSA-2026:7667.

References

Reachable Assertion vulnerability report

high severity

Resource Exhaustion

Vulnerable module: libnghttp2
Introduced through: libnghttp2@1.33.0-3.el8_2.1
Fixed in: 0:1.33.0-5.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libnghttp2@1.33.0-3.el8_2.1

NVD Description

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Remediation

Upgrade RHEL:8 libnghttp2 to version 0:1.33.0-5.el8_8 or higher.
This issue was patched in RHSA-2023:5837.

References

Resource Exhaustion vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-21.el8_10.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-21.el8_10.1 or higher.
This issue was patched in RHSA-2025:10698.

References

Out-of-bounds Write vulnerability report

high severity

Double Free

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-9.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack.

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0.

The OpenSSL asn1parse command line application is also impacted by this issue.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-9.el8_7 or higher.
This issue was patched in RHSA-2023:1405.

References

Double Free vulnerability report

high severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-6.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-6.el8_5 or higher.
This issue was patched in RHSA-2022:1065.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

high severity

Use After Free

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-9.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications.

The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash.

This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7.

Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-9.el8_7 or higher.
This issue was patched in RHSA-2023:1405.

References

Use After Free vulnerability report

high severity

Double Free

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-9.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected.

The OpenSSL asn1parse command line application is also impacted by this issue.

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-9.el8_7 or higher.
This issue was patched in RHSA-2023:1405.

References

Double Free vulnerability report

high severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-6.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-6.el8_5 or higher.
This issue was patched in RHSA-2022:1065.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

high severity

Use After Free

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-9.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream.

The OpenSSL cms and smime command line applications are similarly affected.

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-9.el8_7 or higher.
This issue was patched in RHSA-2023:1405.

References

Use After Free vulnerability report

high severity

Directory Traversal

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-70.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-70.el8_10 or higher.
This issue was patched in RHSA-2025:10128.

References

Directory Traversal vulnerability report

high severity

Improper Input Validation

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-51.el8_8.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-51.el8_8.1 or higher.
This issue was patched in RHSA-2023:3591.

References

Improper Input Validation vulnerability report

high severity

Use of Incorrectly-Resolved Name or Reference

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-70.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-70.el8_10 or higher.
This issue was patched in RHSA-2025:10128.

References

Use of Incorrectly-Resolved Name or Reference vulnerability report

high severity

Directory Traversal

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-70.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-70.el8_10 or higher.
This issue was patched in RHSA-2025:10128.

References

Directory Traversal vulnerability report

high severity

Improper Input Validation

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-51.el8_8.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-51.el8_8.1 or higher.
This issue was patched in RHSA-2023:3591.

References

Improper Input Validation vulnerability report

high severity

Use of Incorrectly-Resolved Name or Reference

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-70.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-70.el8_10 or higher.
This issue was patched in RHSA-2025:10128.

References

Use of Incorrectly-Resolved Name or Reference vulnerability report

high severity

Improper Certificate Validation

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had excluded name constraints. A remote attacker could exploit this to bypass critical name constraint checks during certificate validation. This bypass could lead to the acceptance of invalid certificates, potentially enabling spoofing or man-in-the-middle attacks against affected systems.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

Improper Certificate Validation vulnerability report

high severity

Covert Timing Channel

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.22.0.7-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.22.0.7-2.el8 or higher.
This issue was patched in RHSA-2024:0266.

References

Covert Timing Channel vulnerability report

high severity

CVE-2024-21147

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.24.0.8-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.24.0.8-3.el8 or higher.
This issue was patched in RHSA-2024:4567.

References

CVE-2024-21147 vulnerability report

high severity

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.19.0.7-1.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.19.0.7-1.el8_7 or higher.
This issue was patched in RHSA-2023:1895.

References

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.22.0.7-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.22.0.7-2.el8 or higher.
This issue was patched in RHSA-2024:0266.

References

Out-of-bounds Write vulnerability report

high severity

Incorrect Type Conversion or Cast

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-9.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING.

When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-9.el8_7 or higher.
This issue was patched in RHSA-2023:1405.

References

Incorrect Type Conversion or Cast vulnerability report

high severity

Incorrect Type Conversion or Cast

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-9.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-9.el8_7 or higher.
This issue was patched in RHSA-2023:1405.

References

Incorrect Type Conversion or Cast vulnerability report

high severity

Directory Traversal

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-70.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-70.el8_10 or higher.
This issue was patched in RHSA-2025:10128.

References

Directory Traversal vulnerability report

high severity

Directory Traversal

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-70.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata.

Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-70.el8_10 or higher.
This issue was patched in RHSA-2025:10128.

References

Directory Traversal vulnerability report

high severity

new

Improper Certificate Validation

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted certificate that contains Uniform Resource Identifier (URI) or Service (SRV) Subject Alternative Names (SANs). This could cause the certificate validation process to incorrectly fall back to checking DNS hostnames against the Common Name (CN), potentially allowing the attacker to spoof legitimate services or intercept sensitive information.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

Improper Certificate Validation vulnerability report

high severity

Improper Null Termination

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

Improper Null Termination vulnerability report

high severity

Out-of-bounds Read

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8
Fixed in: 2:1.6.34-9.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libpng package and not the libpng package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.

Remediation

Upgrade RHEL:8 libpng to version 2:1.6.34-9.el8_10 or higher.
This issue was patched in RHSA-2026:0241.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Read

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8
Fixed in: 2:1.6.34-9.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.

Remediation

Upgrade RHEL:8 libpng to version 2:1.6.34-9.el8_10 or higher.
This issue was patched in RHSA-2026:0241.

References

Out-of-bounds Read vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8
Fixed in: 2:1.6.34-9.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.

Remediation

Upgrade RHEL:8 libpng to version 2:1.6.34-9.el8_10 or higher.
This issue was patched in RHSA-2026:0241.

References

Out-of-bounds Write vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

There is no fixed version for RHEL:8 libpng.

References

https://access.redhat.com/security/cve/CVE-2026-22020

Out-of-bounds Write vulnerability report

high severity

Arbitrary Argument Injection

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-75.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-75.el8_10 or higher.
This issue was patched in RHSA-2026:6473.

References

Arbitrary Argument Injection vulnerability report

high severity

Arbitrary Argument Injection

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-76.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Mitgation of CVE-2026-4519 was incomplete. If the URL contained "%action" the mitigation could be bypassed for certain browser types the "webbrowser.open()" API could have commands injected into the underlying shell. See CVE-2026-4519 for details.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-76.el8_10 or higher.
This issue was patched in RHSA-2026:11077.

References

Arbitrary Argument Injection vulnerability report

high severity

Arbitrary Argument Injection

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-75.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-75.el8_10 or higher.
This issue was patched in RHSA-2026:6473.

References

Arbitrary Argument Injection vulnerability report

high severity

Arbitrary Argument Injection

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-76.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-76.el8_10 or higher.
This issue was patched in RHSA-2026:11077.

References

Arbitrary Argument Injection vulnerability report

high severity

Out-of-bounds Read

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8
Fixed in: 2:1.6.34-10.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.55, an out-of-bounds read vulnerability exists in the png_set_quantize() API function. When the function is called with no histogram and the number of colors in the palette is more than twice the maximum supported by the user's display, certain palettes will cause the function to enter into an infinite loop that reads past the end of an internal heap-allocated buffer. The images that trigger this vulnerability are valid per the PNG specification. This vulnerability is fixed in 1.6.55.

Remediation

Upgrade RHEL:8 libpng to version 2:1.6.34-10.el8_10 or higher.
This issue was patched in RHSA-2026:4728.

References

Out-of-bounds Read vulnerability report

high severity

Authentication Bypass

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8
Fixed in: 1:2.2.6-45.el8_6.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

A logic issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Monterey 12.3, macOS Big Sur 11.6.5. An application may be able to gain elevated privileges.

Remediation

Upgrade RHEL:8 cups-libs to version 1:2.2.6-45.el8_6.2 or higher.
This issue was patched in RHSA-2022:5056.

References

Authentication Bypass vulnerability report

high severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: libcap
Introduced through: libcap@2.26-5.el8
Fixed in: 0:2.48-6.el8_10.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcap@2.26-5.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcap package and not the libcap package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A flaw was found in libcap. A local unprivileged user can exploit a Time-of-check-to-time-of-use (TOCTOU) race condition in the cap_set_file() function. This allows an attacker with write access to a parent directory to redirect file capability updates to an attacker-controlled file. By doing so, capabilities can be injected into or stripped from unintended executables, leading to privilege escalation.

Remediation

Upgrade RHEL:8 libcap to version 0:2.48-6.el8_10.1 or higher.
This issue was patched in RHSA-2026:13285.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

high severity

Out-of-bounds Read

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8
Fixed in: 2:1.6.34-10.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.26 to 1.6.53, there is an integer truncation in the libpng simplified write API functions png_write_image_16bit and png_write_image_8bit causes heap buffer over-read when the caller provides a negative row stride (for bottom-up image layouts) or a stride exceeding 65535 bytes. The bug was introduced in libpng 1.6.26 (October 2016) by casts added to silence compiler warnings on 16-bit systems. This vulnerability is fixed in 1.6.54.

Remediation

Upgrade RHEL:8 libpng to version 2:1.6.34-10.el8_10 or higher.
This issue was patched in RHSA-2026:4728.

References

Out-of-bounds Read vulnerability report

high severity

Information Exposure

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8
Fixed in: 1:2.2.6-51.el8_8.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently printed documents.

Remediation

Upgrade RHEL:8 cups-libs to version 1:2.2.6-51.el8_8.1 or higher.
This issue was patched in RHSA-2023:4864.

References

Information Exposure vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.5.0-1.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

Expat (aka libexpat) before 2.4.4 has an integer overflow in the doProlog function.

Remediation

Upgrade RHEL:8 expat to version 0:2.5.0-1.el8_10 or higher.
This issue was patched in RHSA-2025:21776.

References

Integer Overflow or Wraparound vulnerability report

high severity

Stack-based Buffer Overflow

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Stack-based Buffer Overflow vulnerability report

high severity

Stack-based Buffer Overflow

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Stack-based Buffer Overflow vulnerability report

high severity

Stack-based Buffer Overflow

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Stack-based Buffer Overflow vulnerability report

high severity

Stack-based Buffer Overflow

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Stack-based Buffer Overflow vulnerability report

high severity

Improper Handling of Case Sensitivity

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of nameConstraints labels, specifically for dNSName (DNS) or rfc822Name (email) constraints within excludedSubtrees or permittedSubtrees. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

Improper Handling of Case Sensitivity vulnerability report

high severity

Multiple Interpretations of UI Input

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-62.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-62.el8_10 or higher.
This issue was patched in RHSA-2024:3347.

References

Multiple Interpretations of UI Input vulnerability report

high severity

Multiple Interpretations of UI Input

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-62.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-62.el8_10 or higher.
This issue was patched in RHSA-2024:3347.

References

Multiple Interpretations of UI Input vulnerability report

high severity

Out-of-bounds Read

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8
Fixed in: 2:1.6.34-10.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.6.51 to 1.6.53, there is a heap buffer over-read in the libpng simplified API function png_image_finish_read when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride. This is a regression introduced by the fix for CVE-2025-65018. This vulnerability is fixed in 1.6.54.

Remediation

Upgrade RHEL:8 libpng to version 2:1.6.34-10.el8_10 or higher.
This issue was patched in RHSA-2026:4728.

References

Out-of-bounds Read vulnerability report

high severity

Use After Free

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

A flaw has been identified in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Use After Free vulnerability report

high severity

Use After Free

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

A flaw has been identified in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the nss_gethostbyname2_r and nss_getcanonname_r hooks without implementing the nss*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Use After Free vulnerability report

high severity

Use After Free

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Use After Free vulnerability report

high severity

Use After Free

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Use After Free vulnerability report

high severity

Use After Free

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Use After Free vulnerability report

high severity

Use After Free

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Use After Free vulnerability report

high severity

Use After Free

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Use After Free vulnerability report

high severity

Use After Free

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-225.el8_8.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-225.el8_8.6 or higher.
This issue was patched in RHSA-2023:5455.

References

Use After Free vulnerability report

high severity

Improper Access Control

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.16.0.8-1.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.16.0.8-1.el8_6 or higher.
This issue was patched in RHSA-2022:5683.

References

Improper Access Control vulnerability report

high severity

Improper Input Validation

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.22.0.7-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.22.0.7-2.el8 or higher.
This issue was patched in RHSA-2024:0266.

References

Improper Input Validation vulnerability report

high severity

Improper Input Validation

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.22.0.7-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.22.0.7-2.el8 or higher.
This issue was patched in RHSA-2024:0266.

References

Improper Input Validation vulnerability report

high severity

Improper Input Validation

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.22.0.7-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.22.0.7-2.el8 or higher.
This issue was patched in RHSA-2024:0266.

References

Improper Input Validation vulnerability report

high severity

Improperly Implemented Security Check for Standard

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.19.0.7-1.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.19.0.7-1.el8_7 or higher.
This issue was patched in RHSA-2023:1895.

References

Improperly Implemented Security Check for Standard vulnerability report

high severity

Information Exposure

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.19.0.7-1.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.19.0.7-1.el8_7 or higher.
This issue was patched in RHSA-2023:1895.

References

Information Exposure vulnerability report

high severity

Integer Underflow

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8
Fixed in: 0:1.18.2-34.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message.

Remediation

Upgrade RHEL:8 krb5-libs to version 0:1.18.2-34.el8_10 or higher.
This issue was patched in RHSA-2026:16799.

References

Integer Underflow vulnerability report

high severity

NULL Pointer Dereference

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8
Fixed in: 0:1.18.2-34.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message.

Remediation

Upgrade RHEL:8 krb5-libs to version 0:1.18.2-34.el8_10 or higher.
This issue was patched in RHSA-2026:16799.

References

NULL Pointer Dereference vulnerability report

high severity

Information Exposure

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-9.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-9.el8_7 or higher.
This issue was patched in RHSA-2023:1405.

References

Information Exposure vulnerability report

high severity

Information Exposure

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-9.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-9.el8_7 or higher.
This issue was patched in RHSA-2023:1405.

References

Information Exposure vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.5.0-1.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.

Remediation

Upgrade RHEL:8 expat to version 0:2.5.0-1.el8_10 or higher.
This issue was patched in RHSA-2025:21776.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

NULL Pointer Dereference

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

nscd: Null pointer crashes after notfound response

If the Name Service Cache Daemon's (nscd) cache fails to add a not-found netgroup response to the cache, the client request can result in a null pointer dereference. This flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

NULL Pointer Dereference vulnerability report

high severity

NULL Pointer Dereference

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

nscd: Null pointer crashes after notfound response

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

NULL Pointer Dereference vulnerability report

high severity

NULL Pointer Dereference

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

nscd: Null pointer crashes after notfound response

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

NULL Pointer Dereference vulnerability report

high severity

NULL Pointer Dereference

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

nscd: Null pointer crashes after notfound response

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

NULL Pointer Dereference vulnerability report

high severity

new

Off-by-one Error

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in gnutls. An off-by-one error exists in the PKCS#12 bag element bounds check. This vulnerability allows an remote attacker to write past the internal array of a PKCS#12 bag when appending to a bag that already contains 32 elements. This memory corruption could lead to a denial of service (DoS) or potentially other unspecified impacts.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

Off-by-one Error vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.15.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.15.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:1442.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Improper Input Validation

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.19.0.7-1.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.19.0.7-1.el8_7 or higher.
This issue was patched in RHSA-2023:1895.

References

Improper Input Validation vulnerability report

high severity

Improper Use of Validation Framework

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.15.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.15.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:1442.

References

Improper Use of Validation Framework vulnerability report

high severity

Resource Leak

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.16.0.8-1.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.16.0.8-1.el8_6 or higher.
This issue was patched in RHSA-2022:5683.

References

Resource Leak vulnerability report

high severity

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.15.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.15.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:1442.

References

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability report

high severity

CVE-2024-21140

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.24.0.8-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.24.0.8-3.el8 or higher.
This issue was patched in RHSA-2024:4567.

References

CVE-2024-21140 vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.24.0.8-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.24.0.8-3.el8 or higher.
This issue was patched in RHSA-2024:4567.

References

Out-of-bounds Write vulnerability report

high severity

Information Exposure Through Log Files

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.22.0.7-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.22.0.7-2.el8 or higher.
This issue was patched in RHSA-2024:0266.

References

Information Exposure Through Log Files vulnerability report

high severity

XML External Entity (XXE) Injection

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.5.0-1.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE.

Remediation

Upgrade RHEL:8 expat to version 0:2.5.0-1.el8_10 or higher.
This issue was patched in RHSA-2025:21776.

References

XML External Entity (XXE) Injection vulnerability report

high severity

Improper Check or Handling of Exceptional Conditions

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

nscd: netgroup cache assumes NSS callback uses in-buffer strings

The Name Service Cache Daemon's (nscd) netgroup cache can corrupt memory when the NSS callback does not store all strings in the provided buffer. The flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Improper Check or Handling of Exceptional Conditions vulnerability report

high severity

Improper Check or Handling of Exceptional Conditions

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

nscd: netgroup cache may terminate daemon on memory allocation failure

The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd.

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Improper Check or Handling of Exceptional Conditions vulnerability report

high severity

Improper Check or Handling of Exceptional Conditions

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

nscd: netgroup cache assumes NSS callback uses in-buffer strings

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Improper Check or Handling of Exceptional Conditions vulnerability report

high severity

Improper Check or Handling of Exceptional Conditions

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

nscd: netgroup cache may terminate daemon on memory allocation failure

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Improper Check or Handling of Exceptional Conditions vulnerability report

high severity

Improper Check or Handling of Exceptional Conditions

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

nscd: netgroup cache assumes NSS callback uses in-buffer strings

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Improper Check or Handling of Exceptional Conditions vulnerability report

high severity

Improper Check or Handling of Exceptional Conditions

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

nscd: netgroup cache may terminate daemon on memory allocation failure

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Improper Check or Handling of Exceptional Conditions vulnerability report

high severity

Improper Check or Handling of Exceptional Conditions

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

nscd: netgroup cache assumes NSS callback uses in-buffer strings

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Improper Check or Handling of Exceptional Conditions vulnerability report

high severity

Improper Check or Handling of Exceptional Conditions

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

nscd: netgroup cache may terminate daemon on memory allocation failure

This vulnerability is only present in the nscd binary.

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.2 or higher.
This issue was patched in RHSA-2024:3344.

References

Improper Check or Handling of Exceptional Conditions vulnerability report

high severity

CVE-2024-21131

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.24.0.8-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.24.0.8-3.el8 or higher.
This issue was patched in RHSA-2024:4567.

References

CVE-2024-21131 vulnerability report

high severity

Improper Input Validation

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.19.0.7-1.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.19.0.7-1.el8_7 or higher.
This issue was patched in RHSA-2023:1895.

References

Improper Input Validation vulnerability report

high severity

Improper Neutralization of Null Byte or NUL Character

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.19.0.7-1.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.19.0.7-1.el8_7 or higher.
This issue was patched in RHSA-2023:1895.

References

Improper Neutralization of Null Byte or NUL Character vulnerability report

high severity

Improper Neutralization of Null Byte or NUL Character

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.19.0.7-1.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.19.0.7-1.el8_7 or higher.
This issue was patched in RHSA-2023:1895.

References

Improper Neutralization of Null Byte or NUL Character vulnerability report

high severity

Improper Validation of Specified Quantity in Input

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.24.0.8-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.24.0.8-3.el8 or higher.
This issue was patched in RHSA-2024:4567.

References

Improper Validation of Specified Quantity in Input vulnerability report

high severity

Integer Underflow

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.15.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.15.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:1442.

References

Integer Underflow vulnerability report

high severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.24.0.8-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.24.0.8-3.el8 or higher.
This issue was patched in RHSA-2024:4567.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

high severity

new

CVE-2026-42014

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

This vulnerability has not been analyzed by NVD yet.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.6 or higher.
This issue was patched in RHSA-2026:20611.

References

https://access.redhat.com/security/cve/CVE-2026-42014

CVE-2026-42014 vulnerability report

medium severity

Buffer Overflow

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream glib2 package and not the glib2 package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iTunes 12.12.3 for Windows, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to arbitrary code execution.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Buffer Overflow vulnerability report

medium severity

Improper Use of Validation Framework

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A memory corruption issue was addressed with improved state management. This issue is fixed in tvOS 15.5, watchOS 8.6, iOS 15.5 and iPadOS 15.5, macOS Monterey 12.4, Safari 15.5. Processing maliciously crafted web content may lead to code execution.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Improper Use of Validation Framework vulnerability report

medium severity

Improper Use of Validation Framework

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A memory corruption issue was addressed with improved state management. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Monterey 12.4, Safari 15.5. Processing maliciously crafted web content may lead to arbitrary code execution.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Improper Use of Validation Framework vulnerability report

medium severity

Improper Use of Validation Framework

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Improper Use of Validation Framework vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in iOS 15.6 and iPadOS 15.6, watchOS 8.7, tvOS 15.6, macOS Monterey 12.5, Safari 15.6. Processing maliciously crafted web content may lead to arbitrary code execution.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Out-of-bounds Write vulnerability report

medium severity

Use After Free

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3, iOS 15.4 and iPadOS 15.4, tvOS 15.4, Safari 15.4. Processing maliciously crafted web content may lead to arbitrary code execution.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Use After Free vulnerability report

medium severity

Use After Free

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A use after free issue was addressed with improved memory management. This issue is fixed in macOS Monterey 12.3, Safari 15.4, watchOS 8.5, iOS 15.4 and iPadOS 15.4, tvOS 15.4. Processing maliciously crafted web content may lead to arbitrary code execution.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Use After Free vulnerability report

medium severity

Use After Free

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.5, iOS 15.5 and iPadOS 15.5, watchOS 8.6, macOS Monterey 12.4, Safari 15.5. Processing maliciously crafted web content may lead to arbitrary code execution.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Use After Free vulnerability report

medium severity

Use After Free

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.5 and iPadOS 15.5, macOS Monterey 12.4, tvOS 15.5, watchOS 8.6. Processing maliciously crafted web content may lead to arbitrary code execution.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Use After Free vulnerability report

medium severity

Use After Free

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 15.5, watchOS 8.6, iOS 15.5 and iPadOS 15.5, macOS Monterey 12.4, Safari 15.5, iTunes 12.12.4 for Windows. Processing maliciously crafted web content may lead to arbitrary code execution.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Use After Free vulnerability report

medium severity

Missing Authentication for Critical Function

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-22.el8_6.3 or higher.
This issue was patched in RHSA-2022:5313.

References

Missing Authentication for Critical Function vulnerability report

medium severity

Missing Authentication for Critical Function

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcurl package and not the libcurl package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-22.el8_6.3 or higher.
This issue was patched in RHSA-2022:5313.

References

Missing Authentication for Critical Function vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libjpeg-turbo
Introduced through: libjpeg-turbo@1.5.3-12.el8
Fixed in: 0:1.5.3-14.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libjpeg-turbo@1.5.3-12.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libjpeg-turbo package and not the libjpeg-turbo package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

Remediation

Upgrade RHEL:8 libjpeg-turbo to version 0:1.5.3-14.el8_10 or higher.
This issue was patched in RHSA-2025:7540.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8
Fixed in: 0:0.9.6-15.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh package and not the libssh package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A flaw was found in the libssh library in versions less than 0.11.2. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior.

Remediation

Upgrade RHEL:8 libssh to version 0:0.9.6-15.el8_10 or higher.
This issue was patched in RHSA-2025:18286.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8
Fixed in: 0:0.9.6-15.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libssh-config package and not the libssh-config package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 libssh-config to version 0:0.9.6-15.el8_10 or higher.
This issue was patched in RHSA-2025:18286.

References

Out-of-bounds Read vulnerability report

medium severity

Use After Free

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-12.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-12.el8_5 or higher.
This issue was patched in RHSA-2022:0899.

References

Use After Free vulnerability report

medium severity

Heap-based Buffer Overflow

Vulnerable module: lz4-libs
Introduced through: lz4-libs@1.8.3-3.el8_4
Fixed in: 0:1.8.3-5.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › lz4-libs@1.8.3-3.el8_4

NVD Description

Note: Versions mentioned in the description apply only to the upstream lz4-libs package and not the lz4-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."

Remediation

Upgrade RHEL:8 lz4-libs to version 0:1.8.3-5.el8_10 or higher.
This issue was patched in RHSA-2025:11035.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8
Fixed in: 0:3.26.0-16.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

In SQLite 3.31.1, there is an out of bounds access problem through ALTER TABLE for views that have a nested FROM clause.

Remediation

Upgrade RHEL:8 sqlite-libs to version 0:3.26.0-16.el8_6 or higher.
This issue was patched in RHSA-2022:7108.

References

Out-of-Bounds vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: libcap
Introduced through: libcap@2.26-5.el8
Fixed in: 0:2.48-5.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcap@2.26-5.el8

NVD Description

A vulnerability was found in libcap. This issue occurs in the _libcap_strdup() function and can lead to an integer overflow if the input string is close to 4GiB.

Remediation

Upgrade RHEL:8 libcap to version 0:2.48-5.el8_8 or higher.
This issue was patched in RHSA-2023:4524.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: libjpeg-turbo
Introduced through: libjpeg-turbo@1.5.3-12.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libjpeg-turbo@1.5.3-12.el8

NVD Description

In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution in an unprivileged process with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-120551338

Remediation

There is no fixed version for RHEL:8 libjpeg-turbo.

References

Integer Overflow or Wraparound vulnerability report

medium severity

new

Out-of-bounds Write

Vulnerable module: libsolv
Introduced through: libsolv@0.7.19-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libsolv@0.7.19-1.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libsolv package and not the libsolv package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled compressed data within .solv files due to insufficient input validation. An attacker can provide a specially crafted .solv file, which, when processed by a vulnerable application, can lead to out-of-bounds memory access. This could result in information disclosure, alteration of program execution, or a denial of service.

Remediation

There is no fixed version for RHEL:8 libsolv.

References

Out-of-bounds Write vulnerability report

medium severity

Double Free

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-15.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be provoked.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-15.el8_7.1 or higher.
This issue was patched in RHSA-2023:0173.

References

Double Free vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: ncurses-base
Introduced through: ncurses-base@6.1-9.20180224.el8
Fixed in: 0:6.1-9.20180224.el8_8.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-base@6.1-9.20180224.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-base package and not the ncurses-base package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

ncurses before 6.4 20230408, when used by a setuid application, allows local users to trigger security-relevant memory corruption via malformed data in a terminfo database file that is found in $HOME/.terminfo or reached via the TERMINFO or TERM environment variable.

Remediation

Upgrade RHEL:8 ncurses-base to version 0:6.1-9.20180224.el8_8.1 or higher.
This issue was patched in RHSA-2023:5249.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: ncurses-libs
Introduced through: ncurses-libs@6.1-9.20180224.el8
Fixed in: 0:6.1-9.20180224.el8_8.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-libs@6.1-9.20180224.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses-libs package and not the ncurses-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 ncurses-libs to version 0:6.1-9.20180224.el8_8.1 or higher.
This issue was patched in RHSA-2023:5249.

References

Out-of-bounds Write vulnerability report

medium severity

Improper Validation of Specified Type of Input

Vulnerable module: systemd-libs
Introduced through: systemd-libs@239-51.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › systemd-libs@239-51.el8_5.3

NVD Description

systemd, a system and service manager, (as PID 1) hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this is not possible as the safety check causes an assert instead. This IPC call was added in v239, so versions older than that are not affected. Versions 260-rc1, 259.2, 258.5, and 257.11 contain patches. No known workarounds are available.

Remediation

There is no fixed version for RHEL:8 systemd-libs.

References

Improper Validation of Specified Type of Input vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-168.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-168.el8_10 or higher.
This issue was patched in RHSA-2026:0991.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: freetype
Introduced through: freetype@2.9.1-4.el8_3.1
Fixed in: 0:2.9.1-9.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › freetype@2.9.1-4.el8_3.1

NVD Description

FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.

Remediation

Upgrade RHEL:8 freetype to version 0:2.9.1-9.el8 or higher.
This issue was patched in RHSA-2022:7745.

References

Out-of-bounds Write vulnerability report

medium severity

Improper Input Validation

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-47.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands discovered in the system mailcap file. This may allow attackers to inject shell commands into applications that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or arguments). The fix is also back-ported to 3.7, 3.8, 3.9

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-47.el8_6 or higher.
This issue was patched in RHSA-2022:6457.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-47.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-47.el8_6 or higher.
This issue was patched in RHSA-2022:6457.

References

Improper Input Validation vulnerability report

medium severity

Improper Certificate Validation

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-22.el8_6.3 or higher.
This issue was patched in RHSA-2022:5313.

References

Improper Certificate Validation vulnerability report

medium severity

Missing Release of Resource after Effective Lifetime

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-34.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-34.el8_10.2 or higher.
This issue was patched in RHSA-2024:5654.

References

Missing Release of Resource after Effective Lifetime vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-8.el8_6.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

In Expat (aka libexpat) before 2.4.5, there is an integer overflow in copyString.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-8.el8_6.2 or higher.
This issue was patched in RHSA-2022:5314.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-15.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-15.el8_10 or higher.
This issue was patched in RHSA-2024:6989.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-15.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-15.el8_10 or higher.
This issue was patched in RHSA-2024:6989.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-11.el8_9.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-11.el8_9.1 or higher.
This issue was patched in RHSA-2024:1615.

References

Resource Exhaustion vulnerability report

medium severity

Uncontrolled Recursion

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-17.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

A stack overflow vulnerability exists in the libexpat library due to the way it handles recursive entity expansion in XML documents. When parsing an XML document with deeply nested entity references, libexpat can be forced to recurse indefinitely, exhausting the stack space and causing a crash. This issue could lead to denial of service (DoS) or, in some cases, exploitable memory corruption, depending on the environment and library usage.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-17.el8_10 or higher.
This issue was patched in RHSA-2025:3913.

References

Uncontrolled Recursion vulnerability report

medium severity

Use After Free

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-10.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-10.el8_7.1 or higher.
This issue was patched in RHSA-2023:0103.

References

Use After Free vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

In WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-based buffer overflow in WebCore::TextureMapperLayer::setContentsLayer in WebCore/platform/graphics/texmap/TextureMapperLayer.cpp.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Out-of-bounds Write vulnerability report

medium severity

Double Free

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-5.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A vulnerability found in gnutls. This security flaw happens because of a double free error occurs during verification of pkcs7 signatures in gnutls_pkcs7_verify function.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-5.el8_6 or higher.
This issue was patched in RHSA-2022:7105.

References

Double Free vulnerability report

medium severity

Information Exposure

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_9.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_9.1 or higher.
This issue was patched in RHSA-2024:0627.

References

Information Exposure vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: harfbuzz
Introduced through: harfbuzz@1.7.5-3.el8
Fixed in: 0:1.7.5-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › harfbuzz@1.7.5-3.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream harfbuzz package and not the harfbuzz package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Remediation

Upgrade RHEL:8 harfbuzz to version 0:1.7.5-4.el8 or higher.
This issue was patched in RHSA-2024:2980.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.20.0.8-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.20.0.8-2.el8 or higher.
This issue was patched in RHSA-2023:4175.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

CVE-2024-37370

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8
Fixed in: 0:1.18.2-29.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Remediation

Upgrade RHEL:8 krb5-libs to version 0:1.18.2-29.el8_10 or higher.
This issue was patched in RHSA-2024:5312.

References

CVE-2024-37370 vulnerability report

medium severity

Improper Certificate Validation

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-22.el8_6.3 or higher.
This issue was patched in RHSA-2022:5313.

References

Improper Certificate Validation vulnerability report

medium severity

Missing Release of Resource after Effective Lifetime

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-34.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-34.el8_10.2 or higher.
This issue was patched in RHSA-2024:5654.

References

Missing Release of Resource after Effective Lifetime vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: libgcrypt
Introduced through: libgcrypt@1.8.5-6.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libgcrypt@1.8.5-6.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt package and not the libgcrypt package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Libgcrypt before 1.12.2 sometimes allows a heap-based buffer overflow and denial of service via crafted ECDH ciphertext to gcry_pk_decrypt.

Remediation

There is no fixed version for RHEL:8 libgcrypt.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Expired Pointer Dereference

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. In versions 1.2.1 through 1.6.55, png_set_tRNS and png_set_PLTE each alias a heap-allocated buffer between png_struct and png_info, sharing a single allocation across two structs with independent lifetimes. The trans_alpha aliasing has been present since at least libpng 1.0, and the palette aliasing since at least 1.2.1. Both affect all prior release lines png_set_tRNS sets png_ptr->trans_alpha = info_ptr->trans_alpha (256-byte buffer) and png_set_PLTE sets info_ptr->palette = png_ptr->palette (768-byte buffer). In both cases, calling png_free_data (with PNG_FREE_TRNS or PNG_FREE_PLTE) frees the buffer through info_ptr while the corresponding png_ptr pointer remains dangling. Subsequent row-transform functions dereference and, in some code paths, write to the freed memory. A second call to png_set_tRNS or png_set_PLTE has the same effect, because both functions call png_free_data internally before reallocating the info_ptr buffer. Version 1.6.56 fixes the issue.

Remediation

There is no fixed version for RHEL:8 libpng.

References

Expired Pointer Dereference vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: libtirpc
Introduced through: libtirpc@1.1.4-5.el8
Fixed in: 0:1.1.4-6.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libtirpc@1.1.4-5.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtirpc package and not the libtirpc package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

In libtirpc before 1.3.3rc1, remote attackers could exhaust the file descriptors of a process that uses libtirpc because idle TCP connections are mishandled. This can, in turn, lead to an svc_run infinite loop without accepting new connections.

Remediation

Upgrade RHEL:8 libtirpc to version 0:1.1.4-6.el8 or higher.
This issue was patched in RHBA-2022:2065.

References

Resource Exhaustion vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-15.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to access an array at a negative 2GB offset, typically leading to a segmentation fault.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-15.el8_7.1 or higher.
This issue was patched in RHSA-2023:0173.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-21.el8_10.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-21.el8_10.3 or higher.
This issue was patched in RHSA-2025:13203.

References

Out-of-bounds Read vulnerability report

medium severity

Use After Free

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-18.el8_10.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-18.el8_10.1 or higher.
This issue was patched in RHSA-2024:3626.

References

Use After Free vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: libzstd
Introduced through: libzstd@1.4.4-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libzstd@1.4.4-1.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.

Remediation

There is no fixed version for RHEL:8 libzstd.

References

Resource Exhaustion vulnerability report

medium severity

new

Allocation of Resources Without Limits or Throttling

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames.

Impact summary: A malicious remote peer can cause an unbounded memory allocation which can lead to an abnormal termination of the application acting as a QUIC client or server and a Denial of Service.

A remote peer may exhaust heap memory by flooding the local QUIC stack with PATH_CHALLENGE frames. The local QUIC stack allocates a PATH_RESPONSE frame for every PATH_CHALLENGE it receives. The allocated PATH_RESPONSE frame gets freed only when the remote peer acknowledges reception of the PATH_RESPONSE frame which will not be done by a malicious peer.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.

When a CMS EnvelopedData message that uses KeyTransportRecipientInfo with RSA-OAEP encryption is processed, the optional parameters field of RSA-OAEP SourceFunc algorithm identifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.

Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

NULL Pointer Dereference vulnerability report

medium severity

new

Allocation of Resources Without Limits or Throttling

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Remote peer may exhaust heap memory of the QUIC server or client by flooding it with packets containing PATH_CHALLENGE frames.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue. The QUIC stack is outside of OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyTransportRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.

Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

NULL Pointer Dereference vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: pcre2
Introduced through: pcre2@10.32-2.el8
Fixed in: 0:10.32-3.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › pcre2@10.32-2.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre2 package and not the pcre2 package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.

Remediation

Upgrade RHEL:8 pcre2 to version 0:10.32-3.el8_6 or higher.
This issue was patched in RHSA-2022:5809.

References

Out-of-bounds Read vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-72.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-72.el8_10 or higher.
This issue was patched in RHSA-2026:1631.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Incorrect Type Conversion or Cast

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-48.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when using int("text"), a system could take 50ms to parse an int string with 100,000 digits and 5s for 1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not affected). The highest threat from this vulnerability is to system availability.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-48.el8_7.1 or higher.
This issue was patched in RHSA-2023:0833.

References

Incorrect Type Conversion or Cast vulnerability report

medium severity

Inefficient Regular Expression Complexity

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-67.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-67.el8_10 or higher.
This issue was patched in RHSA-2024:6975.

References

Inefficient Regular Expression Complexity vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-71.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives.

This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-71.el8_10 or higher.
This issue was patched in RHSA-2025:14560.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-48.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-48.el8_7.1 or higher.
This issue was patched in RHSA-2023:0833.

References

Resource Exhaustion vulnerability report

medium severity

Use After Free

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-56.el8_9.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-56.el8_9.2 or higher.
This issue was patched in RHSA-2024:0114.

References

Use After Free vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-72.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-72.el8_10 or higher.
This issue was patched in RHSA-2026:1631.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Incorrect Type Conversion or Cast

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-48.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-48.el8_7.1 or higher.
This issue was patched in RHSA-2023:0833.

References

Incorrect Type Conversion or Cast vulnerability report

medium severity

Inefficient Regular Expression Complexity

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-67.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

There is a MEDIUM severity vulnerability affecting CPython.

Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-67.el8_10 or higher.
This issue was patched in RHSA-2024:6975.

References

Inefficient Regular Expression Complexity vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-71.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

This vulnerability can be mitigated by including the following patch after importing the “tarfile” module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-71.el8_10 or higher.
This issue was patched in RHSA-2025:14560.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-48.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-48.el8_7.1 or higher.
This issue was patched in RHSA-2023:0833.

References

Resource Exhaustion vulnerability report

medium severity

Use After Free

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-56.el8_9.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-56.el8_9.2 or higher.
This issue was patched in RHSA-2024:0114.

References

Use After Free vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8
Fixed in: 0:3.26.0-16.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

In SQlite 3.31.1, a potential null pointer derreference was found in the INTERSEC query processing.

Remediation

Upgrade RHEL:8 sqlite-libs to version 0:3.26.0-16.el8_6 or higher.
This issue was patched in RHSA-2022:7108.

References

NULL Pointer Dereference vulnerability report

medium severity

Off-by-one Error

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

A flaw was found in glibc. An off-by-one buffer overflow and underflow in getcwd() may lead to memory corruption when the size of the buffer is exactly 1. A local attacker who can control the input buffer and size passed to getcwd() in a setuid program could use this flaw to potentially execute arbitrary code and escalate their privileges on the system.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Off-by-one Error vulnerability report

medium severity

Off-by-one Error

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Off-by-one Error vulnerability report

medium severity

Off-by-one Error

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Off-by-one Error vulnerability report

medium severity

Off-by-one Error

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Off-by-one Error vulnerability report

medium severity

Covert Timing Channel

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-6.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-6.el8_7 or higher.
This issue was patched in RHSA-2023:1569.

References

Covert Timing Channel vulnerability report

medium severity

Information Exposure

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Remediation

There is no fixed version for RHEL:8 java-11-openjdk-headless.

References

Information Exposure vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-13.el8_6.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-13.el8_6.1 or higher.
This issue was patched in RHSA-2022:5317.

References

Out-of-bounds Write vulnerability report

medium severity

new

Improper Handling of Length Parameter Inconsistency

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue Summary: Cryptographic Message Services (CMS) processing fails to perform sufficient input validation on the cipher and tag length fields of AuthEnvelopedData containers, leading to various potential compromises.

Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message.

In one use case, an attacker may send a CMS message containing AuthEnvelopedData with the cipher specified as a non-AEAD cipher. OpenSSL erroneously allows this selection, and attempts to decrypt and validate the message.

An on-path attacker who captures one legitimate AES-GCM AuthEnvelopedData addressed to the victim can re-emit it with the recipientInfos set left byte-for-byte intact, so the victim's private key still unwraps the genuine CEK (the content-encryption key), but with the inner OID rewritten to AES-256-OFB (Output Feedback Mode, an unauthenticated keystream mode) and with an attacker-chosen IV and ciphertext. The victim initializes AES-256-OFB under the real CEK, never consults the MAC field, and CMS_decrypt() returns success.

If the application under attack responds to the attacker with any indicator showing success or failure of the decryption effort, it is possible for the attacker to use this as an oracle to obtain key equivalent functionality for the CEK used for the chosen recipient of the message.

In another use case, an attacker can reduce the tag length of the chosen AEAD cipher for a given AuthEnvelopedData container to be a single byte long, allowing an attacker to brute force CMS decryption, producing an integrity bypass for applications that trust CMS_decrypt() to reject modified content.

The FIPS modules are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-15.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer.

Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service.

The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer.

The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-15.el8_6 or higher.
This issue was patched in RHSA-2026:3042.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-5.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-5.el8_5 or higher.
This issue was patched in RHSA-2021:5226.

References

Out-of-bounds Read vulnerability report

medium severity

new

Improper Handling of Length Parameter Inconsistency

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Impact Summary: Attackers making use of these vulnerabilities may achieve key-equivalent functionality for a given CMS recipient and/or bypass integrity validation for a given message.

The FIPS modules are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-15.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-15.el8_6 or higher.
This issue was patched in RHSA-2026:3042.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-5.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-5.el8_5 or higher.
This issue was patched in RHSA-2021:5226.

References

Out-of-bounds Read vulnerability report

medium severity

Open Redirect

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-48.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is disputed by a third party because the http.server.html documentation page states "Warning: http.server is not recommended for production. It only implements basic security checks."

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-48.el8_7.1 or higher.
This issue was patched in RHSA-2023:0833.

References

Open Redirect vulnerability report

medium severity

Open Redirect

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-48.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-48.el8_7.1 or higher.
This issue was patched in RHSA-2023:0833.

References

Open Redirect vulnerability report

medium severity

Link Following

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8
Fixed in: 0:3.3.3-3.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.

Remediation

Upgrade RHEL:8 libarchive to version 0:3.3.3-3.el8_5 or higher.
This issue was patched in RHSA-2022:0892.

References

Link Following vulnerability report

medium severity

Heap-based Buffer Overflow

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8
Fixed in: 0:3.26.0-19.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999.

Remediation

Upgrade RHEL:8 sqlite-libs to version 0:3.26.0-19.el8_9 or higher.
This issue was patched in RHSA-2024:0253.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Use After Free

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8
Fixed in: 1:2.2.6-54.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is a standards-based, open source printing system for Linux and other Unix-like operating systems. Starting in version 2.0.0 and prior to version 2.4.6, CUPS logs data of free memory to the logging service AFTER the connection has been closed, when it should have logged the data right before. This is a use-after-free bug that impacts the entire cupsd process.

The exact cause of this issue is the function httpClose(con->http) being called in scheduler/client.c. The problem is that httpClose always, provided its argument is not null, frees the pointer at the end of the call, only for cupsdLogClient to pass the pointer to httpGetHostname. This issue happens in function cupsdAcceptClient if LogLevel is warn or higher and in two scenarios: there is a double-lookup for the IP Address (HostNameLookups Double is set in cupsd.conf) which fails to resolve, or if CUPS is compiled with TCP wrappers and the connection is refused by rules from /etc/hosts.allow and /etc/hosts.deny.

Version 2.4.6 has a patch for this issue.

Remediation

Upgrade RHEL:8 cups-libs to version 1:2.2.6-54.el8_9 or higher.
This issue was patched in RHSA-2023:7165.

References

Use After Free vulnerability report

medium severity

Access of Uninitialized Pointer

Vulnerable module: freetype
Introduced through: freetype@2.9.1-4.el8_3.1
Fixed in: 0:2.9.1-9.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › freetype@2.9.1-4.el8_3.1

NVD Description

FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.

Remediation

Upgrade RHEL:8 freetype to version 0:2.9.1-9.el8 or higher.
This issue was patched in RHSA-2022:7745.

References

Access of Uninitialized Pointer vulnerability report

medium severity

Access of Uninitialized Pointer

Vulnerable module: freetype
Introduced through: freetype@2.9.1-4.el8_3.1
Fixed in: 0:2.9.1-9.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › freetype@2.9.1-4.el8_3.1

NVD Description

FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.

Remediation

Upgrade RHEL:8 freetype to version 0:2.9.1-9.el8 or higher.
This issue was patched in RHSA-2022:7745.

References

Access of Uninitialized Pointer vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.25.0.9-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 allows a local attacker to obtain sensitive information via the DumpSCreen2RGB function in gif2rgb.c

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.25.0.9-2.el8 or higher.
This issue was patched in RHSA-2024:8121.

References

Out-of-Bounds vulnerability report

medium severity

Link Following

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8
Fixed in: 0:3.3.3-3.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

An improper link resolution flaw can occur while extracting an archive leading to changing modes, times, access control lists, and flags of a file outside of the archive. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to gain more privileges in a system.

Remediation

Upgrade RHEL:8 libarchive to version 0:3.3.3-3.el8_5 or higher.
This issue was patched in RHSA-2022:0892.

References

Link Following vulnerability report

medium severity

Arbitrary Command Injection

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-73.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-73.el8_10 or higher.
This issue was patched in RHSA-2026:2128.

References

Arbitrary Command Injection vulnerability report

medium severity

Arbitrary Command Injection

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-73.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-73.el8_10 or higher.
This issue was patched in RHSA-2026:2128.

References

Arbitrary Command Injection vulnerability report

medium severity

CRLF Injection

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-73.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-73.el8_10 or higher.
This issue was patched in RHSA-2026:2128.

References

CRLF Injection vulnerability report

medium severity

Directory Traversal

Vulnerable module: platform-python-setuptools
Introduced through: platform-python-setuptools@39.2.0-6.el8
Fixed in: 0:39.2.0-9.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python-setuptools@39.2.0-6.el8

NVD Description

setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in PackageIndex is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.

Remediation

Upgrade RHEL:8 platform-python-setuptools to version 0:39.2.0-9.el8_10 or higher.
This issue was patched in RHSA-2025:11036.

References

Directory Traversal vulnerability report

medium severity

Arbitrary Command Injection

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-73.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-73.el8_10 or higher.
This issue was patched in RHSA-2026:2128.

References

Arbitrary Command Injection vulnerability report

medium severity

Arbitrary Command Injection

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-73.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-73.el8_10 or higher.
This issue was patched in RHSA-2026:2128.

References

Arbitrary Command Injection vulnerability report

medium severity

CRLF Injection

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-73.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-73.el8_10 or higher.
This issue was patched in RHSA-2026:2128.

References

CRLF Injection vulnerability report

medium severity

Directory Traversal

Vulnerable module: python3-setuptools-wheel
Introduced through: python3-setuptools-wheel@39.2.0-6.el8
Fixed in: 0:39.2.0-9.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-setuptools-wheel@39.2.0-6.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-setuptools-wheel to version 0:39.2.0-9.el8_10 or higher.
This issue was patched in RHSA-2025:11036.

References

Directory Traversal vulnerability report

medium severity

Heap-based Buffer Overflow

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

Due to failure in validating the length provided by an attacker-crafted PPD PostScript document, CUPS and libppd are susceptible to a heap-based buffer overflow and possibly code execution. This issue has been fixed in CUPS version 2.4.7, released in September of 2023.

Remediation

There is no fixed version for RHEL:8 cups-libs.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Off-by-one Error

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-166.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-166.el8_10 or higher.
This issue was patched in RHSA-2025:11327.

References

Off-by-one Error vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Out-of-bounds Write vulnerability report

medium severity

Untrusted Search Path

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.22

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.22 or higher.
This issue was patched in RHSA-2025:8686.

References

Untrusted Search Path vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Out-of-bounds Write vulnerability report

medium severity

Untrusted Search Path

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.22

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.22 or higher.
This issue was patched in RHSA-2025:8686.

References

Untrusted Search Path vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Out-of-bounds Write vulnerability report

medium severity

Untrusted Search Path

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.22

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.22 or higher.
This issue was patched in RHSA-2025:8686.

References

Untrusted Search Path vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-164.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-164.el8_5.3 or higher.
This issue was patched in RHSA-2022:0896.

References

Out-of-bounds Write vulnerability report

medium severity

Untrusted Search Path

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.22

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.22 or higher.
This issue was patched in RHSA-2025:8686.

References

Untrusted Search Path vulnerability report

medium severity

new

OS Command Injection

Vulnerable module: rpm
Introduced through: rpm@4.14.3-19.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › rpm@4.14.3-19.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream rpm package and not the rpm package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A command injection vulnerability was discovered in the rpmuncompress utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts the archive's top-level folder name into a shell command without properly sanitizing it. A specially crafted archive containing shell metacharacters in its folder name can execute arbitrary commands as the user running the extraction.

Remediation

There is no fixed version for RHEL:8 rpm.

References

OS Command Injection vulnerability report

medium severity

new

OS Command Injection

Vulnerable module: rpm-libs
Introduced through: rpm-libs@4.14.3-19.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › rpm-libs@4.14.3-19.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream rpm-libs package and not the rpm-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

There is no fixed version for RHEL:8 rpm-libs.

References

OS Command Injection vulnerability report

medium severity

CVE-2005-2541

Vulnerable module: tar
Introduced through: tar@2:1.30-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › tar@2:1.30-5.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

Remediation

There is no fixed version for RHEL:8 tar.

References

CVE-2005-2541 vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: zlib
Introduced through: zlib@1.2.11-17.el8
Fixed in: 0:1.2.11-19.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › zlib@1.2.11-17.el8

NVD Description

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

Remediation

Upgrade RHEL:8 zlib to version 0:1.2.11-19.el8_6 or higher.
This issue was patched in RHSA-2022:7106.

References

Out-of-Bounds vulnerability report

medium severity

Improper Certificate Validation

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool,curl should check the public key of the server certificate to verify the peer.

This check was skipped in a certain condition that would then make curl allow the connection without performing the proper check, thus not noticing a possible impostor. To skip this check, the connection had to be done with QUIC with ngtcp2 built to use GnuTLS and the user had to explicitly disable the standard certificate verification.

Remediation

There is no fixed version for RHEL:8 curl.

References

Improper Certificate Validation vulnerability report

medium severity

Incorrect Implementation of Authentication Algorithm

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

When reusing a connection a range of criterion must first be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials. One underlying reason being that Negotiate sometimes authenticates connections and not requests, contrary to how HTTP is designed to work.

An application that allows Negotiate authentication to a server (that responds wanting Negotiate) with user1:password1 and then does another operation to the same server also using Negotiate but with user2:password2 (while the previous connection is still alive) - the second request wrongly reused the same connection and since it then sees that the Negotiate negotiation is already made, it just sends the request over that connection thinking it uses the user2 credentials when it is in fact still using the connection authenticated for user1...

The set of authentication methods to use is set with CURLOPT_HTTPAUTH.

Applications can disable libcurl's reuse of connections and thus mitigate this problem, by using one of the following libcurl options to alter how connections are or are not reused: CURLOPT_FRESH_CONNECT, CURLOPT_MAXCONNECTS and CURLMOPT_MAX_HOST_CONNECTIONS (if using the curl_multi API).

Remediation

There is no fixed version for RHEL:8 curl.

References

Incorrect Implementation of Authentication Algorithm vulnerability report

medium severity

Improper Certificate Validation

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey with the curl tool,curl should check the public key of the server certificate to verify the peer.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Improper Certificate Validation vulnerability report

medium severity

Incorrect Implementation of Authentication Algorithm

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

libcurl can in some circumstances reuse the wrong connection when asked to do an Negotiate-authenticated HTTP or HTTPS request.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

The set of authentication methods to use is set with CURLOPT_HTTPAUTH.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Incorrect Implementation of Authentication Algorithm vulnerability report

medium severity

Integer Underflow

Vulnerable module: openldap
Introduced through: openldap@2.4.46-18.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openldap@2.4.46-18.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream openldap package and not the openldap package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.

Remediation

There is no fixed version for RHEL:8 openldap.

References

Integer Underflow vulnerability report

medium severity

Cross-site Scripting (XSS)

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context. It does not neutralize the HTML parser-sensitive sequence </script> inside the generated script element. Mitigation base64-encodes the cookie value to disallow escaping using cookie value.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

CVE-2024-6923

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-67.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

There is a MEDIUM severity vulnerability affecting CPython.

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-67.el8_10 or higher.
This issue was patched in RHSA-2024:6975.

References

CVE-2024-6923 vulnerability report

medium severity

Improper Input Validation

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-74.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-74.el8_10 or higher.
This issue was patched in RHSA-2026:5588.

References

Improper Input Validation vulnerability report

medium severity

Cross-site Scripting (XSS)

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

CVE-2024-6923

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-67.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

There is a MEDIUM severity vulnerability affecting CPython.

The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-67.el8_10 or higher.
This issue was patched in RHSA-2024:6975.

References

CVE-2024-6923 vulnerability report

medium severity

Improper Input Validation

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-74.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-74.el8_10 or higher.
This issue was patched in RHSA-2026:5588.

References

Improper Input Validation vulnerability report

medium severity

Arbitrary Command Injection

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-7.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-7.el8_6 or higher.
This issue was patched in RHSA-2022:5818.

References

Arbitrary Command Injection vulnerability report

medium severity

Arbitrary Command Injection

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-7.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-7.el8_6 or higher.
This issue was patched in RHSA-2022:5818.

References

Arbitrary Command Injection vulnerability report

medium severity

Arbitrary Command Injection

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-7.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-7.el8_6 or higher.
This issue was patched in RHSA-2022:5818.

References

Arbitrary Command Injection vulnerability report

medium severity

Arbitrary Command Injection

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-7.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-7.el8_6 or higher.
This issue was patched in RHSA-2022:5818.

References

Arbitrary Command Injection vulnerability report

medium severity

Improper Access Control

Vulnerable module: systemd-libs
Introduced through: systemd-libs@239-51.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › systemd-libs@239-51.el8_5.3

NVD Description

A flaw was found in systemd. The systemd-machined service contains an Improper Access Control vulnerability due to insufficient validation of the class parameter in the RegisterMachine D-Bus (Desktop Bus) method. A local unprivileged user can exploit this by attempting to register a machine with a specific class value, which may leave behind a usable, attacker-controlled machine object. This allows the attacker to invoke methods on the privileged object, leading to the execution of arbitrary commands with root privileges on the host system.

Remediation

There is no fixed version for RHEL:8 systemd-libs.

References

Improper Access Control vulnerability report

medium severity

Reachable Assertion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream avahi-libs package and not the avahi-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending 2 unsolicited announcements with CNAME resource records 2 seconds apart.

Remediation

There is no fixed version for RHEL:8 avahi-libs.

References

Reachable Assertion vulnerability report

medium severity

Reachable Assertion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, avahi-daemon can be crashed by sending unsolicited announcements containing CNAME resource records pointing it to resource records with short TTLs. As soon as they expire avahi-daemon crashes.

Remediation

There is no fixed version for RHEL:8 avahi-libs.

References

Reachable Assertion vulnerability report

medium severity

Uncontrolled Recursion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., "h.local" as a CNAME for "h.local"). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524.

Remediation

There is no fixed version for RHEL:8 avahi-libs.

References

Uncontrolled Recursion vulnerability report

medium severity

Directory Traversal

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly available patches.

Remediation

There is no fixed version for RHEL:8 cups-libs.

References

Directory Traversal vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8
Fixed in: 1:2.2.6-64.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.12 and earlier, an unsafe deserialization and validation of printer attributes causes null dereference in the libcups library. This is a remote DoS vulnerability available in local subnet in default configurations. It can cause the cups & cups-browsed to crash, on all the machines in local network who are listening for printers (so by default for all regular linux machines). On systems where the vulnerability CVE-2024-47176 (cups-filters 1.x/cups-browsed 2.x vulnerability) was not fixed, and the firewall on the machine does not reject incoming communication to IPP port, and the machine is set to be available to public internet, attack vector "Network" is possible. The current versions of CUPS and cups-browsed projects have the attack vector "Adjacent" in their default configurations. Version 2.4.13 contains a patch for CVE-2025-58364.

Remediation

Upgrade RHEL:8 cups-libs to version 1:2.2.6-64.el8_10 or higher.
This issue was patched in RHSA-2025:22063.

References

NULL Pointer Dereference vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.4

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

curl < 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually unlimited number of compression steps.The use of such a decompression chain could result in a "malloc bomb", makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of memory errors.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-22.el8_6.4 or higher.
This issue was patched in RHSA-2022:6159.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-25.el8_7.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb", making curl end up spending enormous amounts of allocated heap memory, or trying to and returning out of memory errors.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-25.el8_7.3 or higher.
This issue was patched in RHSA-2023:1140.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Authentication Bypass by Primary Weakness

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a server, even if the new request uses different credentials for the HTTP proxy. The proper behavior is to create or use a separate connection.

Remediation

There is no fixed version for RHEL:8 curl.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Comparison Using Wrong Factors

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical error in the code, a network transfer operation that was requested by an application could wrongfully reuse an existing SMB connection to the same server that was using a different 'share' than the new subsequent transfer should.

This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.

Remediation

There is no fixed version for RHEL:8 curl.

References

Comparison Using Wrong Factors vulnerability report

medium severity

Exposure of Data Element to Wrong Session

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

When reusing a connection a range of criteria must be met. Due to a logical error in the code, a request that was issued by an application could wrongfully reuse an existing connection to the same server that was authenticated using different credentials.

An application that first uses Negotiate authentication to a server with user1:password1 and then does another operation to the same server asking for any authentication method but for user2:password2 (while the previous connection is still alive) - the second request gets confused and wrongly reuses the same connection and sends the new request over that connection thinking it uses a mix of user1's and user2's credentials when it is in fact still using the connection authenticated for user1...

Remediation

There is no fixed version for RHEL:8 curl.

References

Exposure of Data Element to Wrong Session vulnerability report

medium severity

Information Exposure

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When asked to both use a .netrc file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

Remediation

There is no fixed version for RHEL:8 curl.

References

Information Exposure vulnerability report

medium severity

Improper Verification of Cryptographic Signature

Vulnerable module: dbus-libs
Introduced through: dbus-libs@1:1.12.8-14.el8
Fixed in: 1:1.12.8-23.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › dbus-libs@1:1.12.8-14.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream dbus-libs package and not the dbus-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures.

Remediation

Upgrade RHEL:8 dbus-libs to version 1:1.12.8-23.el8_7.1 or higher.
This issue was patched in RHSA-2023:0096.

References

Improper Verification of Cryptographic Signature vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: dbus-libs
Introduced through: dbus-libs@1:1.12.8-14.el8
Fixed in: 1:1.12.8-23.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › dbus-libs@1:1.12.8-14.el8

NVD Description

Remediation

Upgrade RHEL:8 dbus-libs to version 1:1.12.8-23.el8_7.1 or higher.
This issue was patched in RHSA-2023:0096.

References

Resource Exhaustion vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: dbus-libs
Introduced through: dbus-libs@1:1.12.8-14.el8
Fixed in: 1:1.12.8-23.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › dbus-libs@1:1.12.8-14.el8

NVD Description

An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format.

Remediation

Upgrade RHEL:8 dbus-libs to version 1:1.12.8-23.el8_7.1 or higher.
This issue was patched in RHSA-2023:0096.

References

Resource Exhaustion vulnerability report

medium severity

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-8.el8_6.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

In Expat (aka libexpat) before 2.4.5, an attacker can trigger stack exhaustion in build_model via a large nesting depth in the DTD element.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-8.el8_6.2 or higher.
This issue was patched in RHSA-2022:5314.

References

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') vulnerability report

medium severity

CVE-2022-32816

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

The issue was addressed with improved UI handling. This issue is fixed in watchOS 8.7, tvOS 15.6, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5. Visiting a website that frames malicious content may lead to UI spoofing.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

CVE-2022-32816 vulnerability report

medium severity

Information Exposure

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A cookie management issue was addressed with improved state management. This issue is fixed in Security Update 2022-003 Catalina, macOS Big Sur 11.6.5. Processing maliciously crafted web content may disclose sensitive user information.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Information Exposure vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-169.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in glib. This vulnerability allows a heap buffer overflow and denial-of-service (DoS) via an integer overflow in GLib's GIO (GLib Input/Output) escape_byte_string() function when processing malicious file or remote filesystem attribute values.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-169.el8_10 or higher.
This issue was patched in RHSA-2026:15953.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Improper Validation of Syntactic Correctness of Input

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Remediation

There is no fixed version for RHEL:8 glibc.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity

Improper Validation of Syntactic Correctness of Input

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-common.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity

Improper Validation of Syntactic Correctness of Input

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-langpack-en.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity

Improper Validation of Syntactic Correctness of Input

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-minimal-langpack.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity

Double Free

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.4

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.

This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.4 or higher.
This issue was patched in RHSA-2025:17415.

References

Double Free vulnerability report

medium severity

Heap-based Buffer Overflow

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.4

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.4 or higher.
This issue was patched in RHSA-2025:17415.

References

Heap-based Buffer Overflow vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.4

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.4 or higher.
This issue was patched in RHSA-2025:17415.

References

NULL Pointer Dereference vulnerability report

medium severity

CVE-2024-37371

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8
Fixed in: 0:1.18.2-29.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.

Remediation

Upgrade RHEL:8 krb5-libs to version 0:1.18.2-29.el8_10 or higher.
This issue was patched in RHSA-2024:5312.

References

CVE-2024-37371 vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8
Fixed in: 0:1.18.2-31.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

In MIT Kerberos 5 (aka krb5) before 1.22 (with incremental propagation), there is an integer overflow for a large update size to resize() in kdb_log.c. An authenticated attacker can cause an out-of-bounds write and kadmind daemon crash.

Remediation

Upgrade RHEL:8 krb5-libs to version 0:1.18.2-31.el8_10 or higher.
This issue was patched in RHSA-2025:2722.

References

Out-of-bounds Write vulnerability report

medium severity

Incorrect Bitwise Shift of Integer

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (pz_log2_bs) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.

Remediation

There is no fixed version for RHEL:8 libarchive.

References

Incorrect Bitwise Shift of Integer vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.4

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-22.el8_6.4 or higher.
This issue was patched in RHSA-2022:6159.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-25.el8_7.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-25.el8_7.3 or higher.
This issue was patched in RHSA-2023:1140.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Authentication Bypass by Primary Weakness

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Comparison Using Wrong Factors

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

libcurl might in some circumstances reuse the wrong connection for SMB(S) transfers.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

This could in unlucky situations lead to the download of the wrong file or the upload of a file to the wrong place. When this happens, the same credentials are used and the server name is the same.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Comparison Using Wrong Factors vulnerability report

medium severity

Exposure of Data Element to Wrong Session

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

libcurl might in some circumstances reuse the wrong connection when asked to do an authenticated HTTP(S) request after a Negotiate-authenticated one, when both use the same host.

libcurl features a pool of recent connections so that subsequent requests can reuse an existing connection to avoid overhead.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Exposure of Data Element to Wrong Session vulnerability report

medium severity

Information Exposure

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

When asked to both use a .netrc file for credentials and to follow HTTP redirects, libcurl could leak the password used for the first host to the followed-to host under certain circumstances.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Information Exposure vulnerability report

medium severity

new

Heap-based Buffer Overflow

Vulnerable module: libsolv
Introduced through: libsolv@0.7.19-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libsolv@0.7.19-1.el8

NVD Description

A flaw was found in libsolv. This heap buffer overflow vulnerability occurs when a victim processes a specially crafted .solv file containing negative size values in the repo_add_solv function. This leads to an undersized memory allocation and a subsequent out-of-bounds write. An attacker could exploit this to cause a denial of service (DoS).

Remediation

There is no fixed version for RHEL:8 libsolv.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Buffer Underflow

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw was found in libssh. The API function ssh_get_hexa() is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI (Generic Security Service Application Program Interface) authentication if the server's logging verbosity is set to SSH_LOG_PACKET (3) or higher. Successful exploitation could lead to a self-Denial of Service of the per-connection daemon process.

Remediation

There is no fixed version for RHEL:8 libssh.

References

Buffer Underflow vulnerability report

medium severity

Double Free

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed.

Remediation

There is no fixed version for RHEL:8 libssh.

References

Double Free vulnerability report

medium severity

Buffer Underflow

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libssh-config.

References

Buffer Underflow vulnerability report

medium severity

Double Free

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libssh-config.

References

Double Free vulnerability report

medium severity

Access of Resource Using Incompatible Type ('Type Confusion')

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An attacker could exploit this by providing a malicious document, leading to a type confusion error that causes the application to crash. This results in a denial of service (DoS), making the affected system or application unavailable.

Remediation

There is no fixed version for RHEL:8 libxml2.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-18.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

Xmlsoft Libxml2 v2.11.0 was discovered to contain an out-of-bounds read via the xmlSAX2StartElement() function at /libxml2/SAX2.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted XML file. NOTE: the vendor's position is that the product does not support the legacy SAX1 interface with custom callbacks; there is a crash even without crafted input.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-18.el8_9 or higher.
This issue was patched in RHSA-2024:0119.

References

Out-of-Bounds vulnerability report

medium severity

Information Exposure

Vulnerable module: nss
Introduced through: nss@3.67.0-7.el8_5
Fixed in: 0:3.90.0-4.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss@3.67.0-7.el8_5

NVD Description

NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

Remediation

Upgrade RHEL:8 nss to version 0:3.90.0-4.el8_9 or higher.
This issue was patched in RHSA-2024:0105.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: nss-softokn
Introduced through: nss-softokn@3.67.0-7.el8_5
Fixed in: 0:3.90.0-4.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn@3.67.0-7.el8_5

NVD Description

Remediation

Upgrade RHEL:8 nss-softokn to version 0:3.90.0-4.el8_9 or higher.
This issue was patched in RHSA-2024:0105.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: nss-softokn-freebl
Introduced through: nss-softokn-freebl@3.67.0-7.el8_5
Fixed in: 0:3.90.0-4.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn-freebl@3.67.0-7.el8_5

NVD Description

Remediation

Upgrade RHEL:8 nss-softokn-freebl to version 0:3.90.0-4.el8_9 or higher.
This issue was patched in RHSA-2024:0105.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: nss-sysinit
Introduced through: nss-sysinit@3.67.0-7.el8_5
Fixed in: 0:3.90.0-4.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-sysinit@3.67.0-7.el8_5

NVD Description

Remediation

Upgrade RHEL:8 nss-sysinit to version 0:3.90.0-4.el8_9 or higher.
This issue was patched in RHSA-2024:0105.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: nss-util
Introduced through: nss-util@3.67.0-7.el8_5
Fixed in: 0:3.90.0-4.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-util@3.67.0-7.el8_5

NVD Description

Remediation

Upgrade RHEL:8 nss-util to version 0:3.90.0-4.el8_9 or higher.
This issue was patched in RHSA-2024:0105.

References

Information Exposure vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-45.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-45.el8 or higher.
This issue was patched in RHSA-2022:1986.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-56.el8_9.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-56.el8_9.2 or higher.
This issue was patched in RHSA-2024:0114.

References

Resource Exhaustion vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-45.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-45.el8 or higher.
This issue was patched in RHSA-2022:1986.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-56.el8_9.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-56.el8_9.2 or higher.
This issue was patched in RHSA-2024:0114.

References

Resource Exhaustion vulnerability report

medium severity

Link Following

Vulnerable module: rpm
Introduced through: rpm@4.14.3-19.el8
Fixed in: 0:4.14.3-28.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › rpm@4.14.3-19.el8

NVD Description

It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

Upgrade RHEL:8 rpm to version 0:4.14.3-28.el8_9 or higher.
This issue was patched in RHSA-2024:0647.

References

Link Following vulnerability report

medium severity

Link Following

Vulnerable module: rpm
Introduced through: rpm@4.14.3-19.el8
Fixed in: 0:4.14.3-28.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › rpm@4.14.3-19.el8

NVD Description

A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

Upgrade RHEL:8 rpm to version 0:4.14.3-28.el8_9 or higher.
This issue was patched in RHSA-2024:0647.

References

Link Following vulnerability report

medium severity

Link Following

Vulnerable module: rpm-libs
Introduced through: rpm-libs@4.14.3-19.el8
Fixed in: 0:4.14.3-28.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › rpm-libs@4.14.3-19.el8

NVD Description

Remediation

Upgrade RHEL:8 rpm-libs to version 0:4.14.3-28.el8_9 or higher.
This issue was patched in RHSA-2024:0647.

References

Link Following vulnerability report

medium severity

Link Following

Vulnerable module: rpm-libs
Introduced through: rpm-libs@4.14.3-19.el8
Fixed in: 0:4.14.3-28.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › rpm-libs@4.14.3-19.el8

NVD Description

Remediation

Upgrade RHEL:8 rpm-libs to version 0:4.14.3-28.el8_9 or higher.
This issue was patched in RHSA-2024:0647.

References

Link Following vulnerability report

medium severity

Improper Handling of Case Sensitivity

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, CUPS daemon (cupsd) contains an authorization bypass vulnerability due to case-insensitive username comparison during authorization checks. The vulnerability allows an unprivileged user to gain unauthorized access to restricted operations by using a user with a username that differs only in case from an authorized user. At time of publication, there are no publicly available patches.

Remediation

There is no fixed version for RHEL:8 cups-libs.

References

Improper Handling of Case Sensitivity vulnerability report

medium severity

OS Command Injection

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, in a network-exposed cupsd with a shared target queue, an unauthorized client can send a Print-Job to that shared PostScript queue without authentication. The server accepts a page-border value supplied as textWithoutLanguage, preserves an embedded newline through option escaping and reparse, and then reparses the resulting second-line PPD: text as a trusted scheduler control record. A follow-up raw print job can therefore make the server execute an attacker-chosen existing binary such as /usr/bin/vim as lp. At time of publication, there are no publicly available patches.

Remediation

There is no fixed version for RHEL:8 cups-libs.

References

OS Command Injection vulnerability report

medium severity

Expired Pointer Dereference

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

Remediation

There is no fixed version for RHEL:8 curl.

References

Expired Pointer Dereference vulnerability report

medium severity

Expired Pointer Dereference

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

When doing a second SMB request to the same host again, curl would wrongly use a data pointer pointing into already freed memory.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Expired Pointer Dereference vulnerability report

medium severity

Unquoted Search Path or Element

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-69.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-69.el8_10 or higher.
This issue was patched in RHSA-2024:10779.

References

Unquoted Search Path or Element vulnerability report

medium severity

Unquoted Search Path or Element

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-69.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-69.el8_10 or higher.
This issue was patched in RHSA-2024:10779.

References

Unquoted Search Path or Element vulnerability report

medium severity

Link Following

Vulnerable module: rpm
Introduced through: rpm@4.14.3-19.el8
Fixed in: 0:4.14.3-28.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › rpm@4.14.3-19.el8

NVD Description

A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

Upgrade RHEL:8 rpm to version 0:4.14.3-28.el8_9 or higher.
This issue was patched in RHSA-2024:0647.

References

Link Following vulnerability report

medium severity

Link Following

Vulnerable module: rpm-libs
Introduced through: rpm-libs@4.14.3-19.el8
Fixed in: 0:4.14.3-28.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › rpm-libs@4.14.3-19.el8

NVD Description

Remediation

Upgrade RHEL:8 rpm-libs to version 0:4.14.3-28.el8_9 or higher.
This issue was patched in RHSA-2024:0647.

References

Link Following vulnerability report

medium severity

new

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: sed
Introduced through: sed@4.5-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sed@4.5-2.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream sed package and not the sed package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

When sed is invoked with both -i (in-place edit) and --follow-symlinks, the function open_next_file() performs two separate, non-atomic filesystem operations on the same path:

resolves symlink to its target and stores the resolved path for determining when output is written,
opens the original symlink path (not the resolved one) to read the file. Between these two calls there is a race window. If an attacker atomically replaces the symlink with a different target during that window, sed will: read content from the new (attacker-chosen) symlink target and write the processed result to the path recorded in step 1. This can lead to arbitrary file overwrite with attacker-controlled content in the context of the sed process.

This issue was fixed in version 4.10.

Remediation

There is no fixed version for RHEL:8 sed.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

medium severity

CVE-2023-26604

Vulnerable module: systemd-libs
Introduced through: systemd-libs@239-51.el8_5.3
Fixed in: 0:239-74.el8_8.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › systemd-libs@239-51.el8_5.3

NVD Description

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.

Remediation

Upgrade RHEL:8 systemd-libs to version 0:239-74.el8_8.2 or higher.
This issue was patched in RHSA-2023:3837.

References

CVE-2023-26604 vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8
Fixed in: 0:0.7-21.el8_9.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

A flaw was found in avahi in versions 0.6 up to 0.8. The event used to signal the termination of the client connection on the avahi Unix socket is not correctly handled in the client_work function, allowing a local attacker to trigger an infinite loop. The highest threat from this vulnerability is to the availability of the avahi service, which becomes unresponsive after this flaw is triggered.

Remediation

Upgrade RHEL:8 avahi-libs to version 0:0.7-21.el8_9.1 or higher.
This issue was patched in RHSA-2023:7836.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Reachable Assertion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8
Fixed in: 0:0.7-21.el8_9.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_rdata_parse() function.

Remediation

Upgrade RHEL:8 avahi-libs to version 0:0.7-21.el8_9.1 or higher.
This issue was patched in RHSA-2023:7836.

References

Reachable Assertion vulnerability report

medium severity

Reachable Assertion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8
Fixed in: 0:0.7-21.el8_9.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_escape_label() function.

Remediation

Upgrade RHEL:8 avahi-libs to version 0:0.7-21.el8_9.1 or higher.
This issue was patched in RHSA-2023:7836.

References

Reachable Assertion vulnerability report

medium severity

Reachable Assertion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8
Fixed in: 0:0.7-21.el8_9.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

A vulnerability was found in Avahi, where a reachable assertion exists in avahi_dns_packet_append_record.

Remediation

Upgrade RHEL:8 avahi-libs to version 0:0.7-21.el8_9.1 or higher.
This issue was patched in RHSA-2023:7836.

References

Reachable Assertion vulnerability report

medium severity

Reachable Assertion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8
Fixed in: 0:0.7-21.el8_9.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

A vulnerability was found in Avahi. A reachable assertion exists in the avahi_alternative_host_name() function.

Remediation

Upgrade RHEL:8 avahi-libs to version 0:0.7-21.el8_9.1 or higher.
This issue was patched in RHSA-2023:7836.

References

Reachable Assertion vulnerability report

medium severity

Reachable Assertion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8
Fixed in: 0:0.7-21.el8_9.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

A vulnerability was found in Avahi. A reachable assertion exists in the dbus_set_host_name function.

Remediation

Upgrade RHEL:8 avahi-libs to version 0:0.7-21.el8_9.1 or higher.
This issue was patched in RHSA-2023:7836.

References

Reachable Assertion vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8
Fixed in: 0:0.7-21.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

A vulnerability was found in the avahi library. This flaw allows an unprivileged user to make a dbus call, causing the avahi daemon to crash.

Remediation

Upgrade RHEL:8 avahi-libs to version 0:0.7-21.el8 or higher.
This issue was patched in RHSA-2023:7190.

References

Resource Exhaustion vulnerability report

medium severity

Reachable Assertion

Vulnerable module: dbus-libs
Introduced through: dbus-libs@1:1.12.8-14.el8
Fixed in: 1:1.12.8-24.el8_8.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › dbus-libs@1:1.12.8-14.el8

NVD Description

D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.

Remediation

Upgrade RHEL:8 dbus-libs to version 1:1.12.8-24.el8_8.1 or higher.
This issue was patched in RHSA-2023:4498.

References

Reachable Assertion vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-15.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX).

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-15.el8_10 or higher.
This issue was patched in RHSA-2024:6989.

References

Integer Overflow or Wraparound vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.

Remediation

There is no fixed version for RHEL:8 expat.

References

NULL Pointer Dereference vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: gmp
Introduced through: gmp@1:6.1.2-10.el8
Fixed in: 1:6.1.2-11.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gmp@1:6.1.2-10.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream gmp package and not the gmp package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms.

Remediation

Upgrade RHEL:8 gmp to version 1:6.1.2-11.el8 or higher.
This issue was patched in RHSA-2024:3214.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Memory Leak

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system.

Remediation

There is no fixed version for RHEL:8 libxml2.

References

Memory Leak vulnerability report

medium severity

Unchecked Input for Loop Condition

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-21.el8_10.4

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

Uncontrolled recursion in XPath evaluation in libxml2 up to and including version 2.9.14 allows a local attacker to cause a stack overflow via crafted expressions. XPath processing functions xmlXPathRunEval, xmlXPathCtxtCompile, and xmlXPathEvalExpr were resetting recursion depth to zero before making potentially recursive calls. When such functions were called recursively this could allow for uncontrolled recursion and lead to a stack overflow. These functions now preserve recursion depth across recursive calls, allowing recursion depth to be controlled.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-21.el8_10.4 or higher.
This issue was patched in RHSA-2026:11349.

References

Unchecked Input for Loop Condition vulnerability report

medium severity

new

Integer Overflow or Wraparound

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer overflow. This issue has been patched in version 12.2.0.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Integer Overflow or Wraparound vulnerability report

medium severity

new

Integer Overflow or Wraparound

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8
Fixed in: 0:3.26.0-18.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

Buffer Overflow vulnerability found in SQLite3 v.3.27.1 and before allows a local attacker to cause a denial of service via a crafted script.

Remediation

Upgrade RHEL:8 sqlite-libs to version 0:3.26.0-18.el8_8 or higher.
This issue was patched in RHSA-2023:3840.

References

Resource Exhaustion vulnerability report

medium severity

Buffer Overflow

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-159.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

The issue was addressed with improved UI handling. This issue is fixed in Safari 16, tvOS 16, watchOS 9, iOS 16. Visiting a website that frames malicious content may lead to UI spoofing.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-159.el8 or higher.
This issue was patched in RHSA-2022:7704.

References

Buffer Overflow vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: lcms2
Introduced through: lcms2@2.9-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › lcms2@2.9-2.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream lcms2 package and not the lcms2 package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Little CMS (lcms2) through 2.18 has an integer overflow in CubeSize in cmslut.c because the overflow check is performed after the multiplication.

Remediation

There is no fixed version for RHEL:8 lcms2.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libblkid
Introduced through: libblkid@2.32.1-28.el8
Fixed in: 0:2.32.1-48.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libblkid@2.32.1-28.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libblkid package and not the libblkid package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the setpwnam() function, affecting SUID (Set User ID) login-utils utilities writing to the password database.

Remediation

Upgrade RHEL:8 libblkid to version 0:2.32.1-48.el8_10 or higher.
This issue was patched in RHSA-2026:1852.

References

Out-of-bounds Read vulnerability report

medium severity

Cross-site Scripting (XSS)

Vulnerable module: libgcc
Introduced through: libgcc@8.5.0-4.el8_5
Fixed in: 0:8.5.0-23.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libgcc@8.5.0-4.el8_5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcc package and not the libgcc package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Remediation

Upgrade RHEL:8 libgcc to version 0:8.5.0-23.el8_10 or higher.
This issue was patched in RHSA-2025:1301.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libmount
Introduced through: libmount@2.32.1-28.el8
Fixed in: 0:2.32.1-48.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libmount@2.32.1-28.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libmount package and not the libmount package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 libmount to version 0:2.32.1-48.el8_10 or higher.
This issue was patched in RHSA-2026:1852.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_write_image_8bit function when processing 8-bit images through the simplified write API with convert_to_8bit enabled. The vulnerability affects 8-bit grayscale+alpha, RGB/RGBA, and images with incomplete row data. A conditional guard incorrectly allows 8-bit input to enter code expecting 16-bit input, causing reads up to 2 bytes beyond allocated buffer boundaries. This issue has been patched in version 1.6.51.

Remediation

There is no fixed version for RHEL:8 libpng.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libsmartcols
Introduced through: libsmartcols@2.32.1-28.el8
Fixed in: 0:2.32.1-48.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libsmartcols@2.32.1-28.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libsmartcols package and not the libsmartcols package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 libsmartcols to version 0:2.32.1-48.el8_10 or higher.
This issue was patched in RHSA-2026:1852.

References

Out-of-bounds Read vulnerability report

medium severity

Cross-site Scripting (XSS)

Vulnerable module: libstdc++
Introduced through: libstdc++@8.5.0-4.el8_5
Fixed in: 0:8.5.0-23.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libstdc++@8.5.0-4.el8_5

NVD Description

Note: Versions mentioned in the description apply only to the upstream libstdc++ package and not the libstdc++ package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 libstdc++ to version 0:8.5.0-23.el8_10 or higher.
This issue was patched in RHSA-2025:1301.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libuuid
Introduced through: libuuid@2.32.1-28.el8
Fixed in: 0:2.32.1-48.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libuuid@2.32.1-28.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libuuid package and not the libuuid package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

Upgrade RHEL:8 libuuid to version 0:2.32.1-48.el8_10 or higher.
This issue was patched in RHSA-2026:1852.

References

Out-of-bounds Read vulnerability report

medium severity

Cross-site Scripting (XSS)

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-15.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

Possible cross-site scripting vulnerability in libxml after commit 960f0e2.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-15.el8 or higher.
This issue was patched in RHSA-2022:7715.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: nss
Introduced through: nss@3.67.0-7.el8_5
Fixed in: 0:3.101.0-7.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss@3.67.0-7.el8_5

NVD Description

A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

Remediation

Upgrade RHEL:8 nss to version 0:3.101.0-7.el8_8 or higher.
This issue was patched in RHBA-2024:6680.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: nss-softokn
Introduced through: nss-softokn@3.67.0-7.el8_5
Fixed in: 0:3.101.0-7.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn@3.67.0-7.el8_5

NVD Description

A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

Remediation

Upgrade RHEL:8 nss-softokn to version 0:3.101.0-7.el8_8 or higher.
This issue was patched in RHBA-2024:6680.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: nss-softokn-freebl
Introduced through: nss-softokn-freebl@3.67.0-7.el8_5
Fixed in: 0:3.101.0-7.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn-freebl@3.67.0-7.el8_5

NVD Description

A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

Remediation

Upgrade RHEL:8 nss-softokn-freebl to version 0:3.101.0-7.el8_8 or higher.
This issue was patched in RHBA-2024:6680.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: nss-sysinit
Introduced through: nss-sysinit@3.67.0-7.el8_5
Fixed in: 0:3.101.0-7.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-sysinit@3.67.0-7.el8_5

NVD Description

A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

Remediation

Upgrade RHEL:8 nss-sysinit to version 0:3.101.0-7.el8_8 or higher.
This issue was patched in RHBA-2024:6680.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: nss-util
Introduced through: nss-util@3.67.0-7.el8_5
Fixed in: 0:3.101.0-7.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-util@3.67.0-7.el8_5

NVD Description

A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128.

Remediation

Upgrade RHEL:8 nss-util to version 0:3.101.0-7.el8_8 or higher.
This issue was patched in RHBA-2024:6680.

References

Out-of-Bounds vulnerability report

medium severity

Improper Use of Validation Framework

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8
Fixed in: 1:2.2.6-66.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a user in the lpadmin group can use the cups web ui to change the config and insert a malicious line. Then the cupsd process which runs as root will parse the new config and cause an out-of-bound write. This issue has been patched in version 2.4.15.

Remediation

Upgrade RHEL:8 cups-libs to version 1:2.2.6-66.el8_10 or higher.
This issue was patched in RHSA-2026:0596.

References

Improper Use of Validation Framework vulnerability report

medium severity

Untrusted Pointer Dereference

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The "profiling.sampling" module (Python 3.15+) and "asyncio introspection capabilities" (3.14+, "python -m asyncio ps" and "python -m asyncio pstree") features could be used to read and write addresses in a privileged process if that process connected to a malicious or "infected" Python process via the remote debugging feature. This vulnerability requires persistently and repeatedly connecting to the process to be exploited, even after the connecting process crashes with high likelihood due to ASLR.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Untrusted Pointer Dereference vulnerability report

medium severity

Untrusted Pointer Dereference

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Untrusted Pointer Dereference vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8
Fixed in: 1:2.2.6-54.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system. In versions 2.4.2 and prior, a heap buffer overflow vulnerability would allow a remote attacker to launch a denial of service (DoS) attack. A buffer overflow vulnerability in the function format_log_line could allow remote attackers to cause a DoS on the affected system. Exploitation of the vulnerability can be triggered when the configuration file cupsd.conf sets the value of loglevel to DEBUG. No known patches or workarounds exist at time of publication.

Remediation

Upgrade RHEL:8 cups-libs to version 1:2.2.6-54.el8_9 or higher.
This issue was patched in RHSA-2023:7165.

References

Out-of-Bounds vulnerability report

medium severity

Authentication Bypass by Primary Weakness

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-30.el8_8.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

An authentication bypass vulnerability exists libcurl <8.0.0 in the connection reuse feature which can reuse previously established connections with incorrect user permissions due to a failure to check for changes in the CURLOPT_GSSAPI_DELEGATION option. This vulnerability affects krb5/kerberos/negotiate/GSSAPI transfers and could potentially result in unauthorized access to sensitive information. The safest option is to not reuse connections if the CURLOPT_GSSAPI_DELEGATION option has been changed.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-30.el8_8.3 or higher.
This issue was patched in RHSA-2023:4523.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Authentication Bypass by Primary Weakness

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-30.el8_8.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

An authentication bypass vulnerability exists in libcurl <8.0.0 in the FTP connection reuse feature that can result in wrong credentials being used during subsequent transfers. Previously created connections are kept in a connection pool for reuse if they match the current setup. However, certain FTP settings such as CURLOPT_FTP_ACCOUNT, CURLOPT_FTP_ALTERNATIVE_TO_USER, CURLOPT_FTP_SSL_CCC, and CURLOPT_USE_SSL were not included in the configuration match checks, causing them to match too easily. This could lead to libcurl using the wrong credentials when performing a transfer, potentially allowing unauthorized access to sensitive information.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-30.el8_8.2 or higher.
This issue was patched in RHSA-2023:3106.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Improper Certificate Validation

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-30.el8_8.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

An improper certificate validation vulnerability exists in curl <v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS library. This private wildcard matching function would match IDN (International Domain Name) hosts incorrectly and could as a result accept patterns that otherwise should mismatch. IDN hostnames are converted to puny code before used for certificate checks. Puny coded names always start with xn-- and should not be allowed to pattern match, but the wildcard check in curl could still check for x*, which would match even though the IDN name most likely contained nothing even resembling an x.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-30.el8_8.3 or higher.
This issue was patched in RHSA-2023:4523.

References

Improper Certificate Validation vulnerability report

medium severity

Improper Check for Unusual or Exceptional Conditions

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8
Fixed in: 0:2.2.5-16.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.

Remediation

Upgrade RHEL:8 expat to version 0:2.2.5-16.el8_10 or higher.
This issue was patched in RHSA-2024:9502.

References

Improper Check for Unusual or Exceptional Conditions vulnerability report

medium severity

Buffer Overflow

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.

Remediation

There is no fixed version for RHEL:8 glibc.

References

Buffer Overflow vulnerability report

medium severity

Use of Uninitialized Resource

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.31

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.31 or higher.
This issue was patched in RHSA-2026:4772.

References

Use of Uninitialized Resource vulnerability report

medium severity

Buffer Overflow

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-common.

References

Buffer Overflow vulnerability report

medium severity

Use of Uninitialized Resource

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.31

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.31 or higher.
This issue was patched in RHSA-2026:4772.

References

Use of Uninitialized Resource vulnerability report

medium severity

Buffer Overflow

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-langpack-en.

References

Buffer Overflow vulnerability report

medium severity

Use of Uninitialized Resource

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.31

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.31 or higher.
This issue was patched in RHSA-2026:4772.

References

Use of Uninitialized Resource vulnerability report

medium severity

Buffer Overflow

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-minimal-langpack.

References

Buffer Overflow vulnerability report

medium severity

Use of Uninitialized Resource

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.31

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.31 or higher.
This issue was patched in RHSA-2026:4772.

References

Use of Uninitialized Resource vulnerability report

medium severity

Improper Verification of Cryptographic Signature

Vulnerable module: gnupg2
Introduced through: gnupg2@2.2.20-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnupg2@2.2.20-2.el8

NVD Description

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Remediation

There is no fixed version for RHEL:8 gnupg2.

References

Improper Verification of Cryptographic Signature vulnerability report

medium severity

Improper Verification of Cryptographic Signature

Vulnerable module: gnupg2
Introduced through: gnupg2@2.2.20-2.el8
Fixed in: 0:2.2.20-3.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnupg2@2.2.20-2.el8

NVD Description

GnuPG through 2.3.6, in unusual situations where an attacker possesses any secret-key information from a victim's keyring and other constraints (e.g., use of GPGME) are met, allows signature forgery via injection into the status line.

Remediation

Upgrade RHEL:8 gnupg2 to version 0:2.2.20-3.el8_6 or higher.
This issue was patched in RHSA-2022:6463.

References

Improper Verification of Cryptographic Signature vulnerability report

medium severity

Information Exposure

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A vulnerability was found that the response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from response times of ciphertexts with correct PKCS#1 v1.5 padding.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_9 or higher.
This issue was patched in RHSA-2024:0155.

References

Information Exposure vulnerability report

medium severity

Reversible One-Way Hash

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8
Fixed in: 0:1.18.2-32.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Remediation

Upgrade RHEL:8 krb5-libs to version 0:1.18.2-32.el8_10 or higher.
This issue was patched in RHSA-2025:8411.

References

Reversible One-Way Hash vulnerability report

medium severity

Authentication Bypass by Primary Weakness

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-30.el8_8.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-30.el8_8.2 or higher.
This issue was patched in RHSA-2023:3106.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Authentication Bypass by Primary Weakness

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-30.el8_8.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-30.el8_8.3 or higher.
This issue was patched in RHSA-2023:4523.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

Improper Certificate Validation

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-30.el8_8.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-30.el8_8.3 or higher.
This issue was patched in RHSA-2023:4523.

References

Improper Certificate Validation vulnerability report

medium severity

Covert Timing Channel

Vulnerable module: libgcrypt
Introduced through: libgcrypt@1.8.5-6.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libgcrypt@1.8.5-6.el8

NVD Description

In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flush-and-reload side-channel attack because physical addresses are available to other processes. (The C implementation is used on platforms where an assembly-language implementation is unavailable.) NOTE: the vendor's position is that the issue report cannot be validated because there is no description of an attack

Remediation

There is no fixed version for RHEL:8 libgcrypt.

References

Covert Timing Channel vulnerability report

medium severity

Covert Timing Channel

Vulnerable module: libgcrypt
Introduced through: libgcrypt@1.8.5-6.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libgcrypt@1.8.5-6.el8

NVD Description

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for RHEL:8 libgcrypt.

References

Covert Timing Channel vulnerability report

medium severity

Use of a Broken or Risky Cryptographic Algorithm

Vulnerable module: libgcrypt
Introduced through: libgcrypt@1.8.5-6.el8
Fixed in: 0:1.8.5-7.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libgcrypt@1.8.5-6.el8

NVD Description

The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

Remediation

Upgrade RHEL:8 libgcrypt to version 0:1.8.5-7.el8_6 or higher.
This issue was patched in RHSA-2022:5311.

References

Use of a Broken or Risky Cryptographic Algorithm vulnerability report

medium severity

Truncation of Security-relevant Information

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8
Fixed in: 0:0.9.6-13.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Remediation

Upgrade RHEL:8 libssh to version 0:0.9.6-13.el8_9 or higher.
This issue was patched in RHSA-2024:0628.

References

Truncation of Security-relevant Information vulnerability report

medium severity

Truncation of Security-relevant Information

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8
Fixed in: 0:0.9.6-13.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

Upgrade RHEL:8 libssh-config to version 0:0.9.6-13.el8_9 or higher.
This issue was patched in RHSA-2024:0628.

References

Truncation of Security-relevant Information vulnerability report

medium severity

Off-by-one Error

Vulnerable module: libtasn1
Introduced through: libtasn1@4.13-3.el8
Fixed in: 0:4.13-4.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libtasn1@4.13-3.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libtasn1 package and not the libtasn1 package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check that affects asn1_encode_simple_der.

Remediation

Upgrade RHEL:8 libtasn1 to version 0:4.13-4.el8_7 or higher.
This issue was patched in RHSA-2023:0116.

References

Off-by-one Error vulnerability report

medium severity

Improper Input Validation

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-16.el8_8.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value).

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-16.el8_8.1 or higher.
This issue was patched in RHSA-2023:4529.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-16.el8_8.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-16.el8_8.1 or higher.
This issue was patched in RHSA-2023:4529.

References

Improper Input Validation vulnerability report

medium severity

Uncontrolled Recursion

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

A flaw was found in libxml2, an XML parsing library. This uncontrolled recursion vulnerability occurs in the xmlCatalogXMLResolveURI function when an XML catalog contains a delegate URI entry that references itself. A remote attacker could exploit this configuration-dependent issue by providing a specially crafted XML catalog, leading to infinite recursion and call stack exhaustion. This ultimately results in a segmentation fault, causing a Denial of Service (DoS) by crashing affected applications.

Remediation

There is no fixed version for RHEL:8 libxml2.

References

Uncontrolled Recursion vulnerability report

medium severity

Use After Free

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-18.el8_10.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-18.el8_10.2 or higher.
This issue was patched in RHSA-2025:1517.

References

Use After Free vulnerability report

medium severity

new

NULL Pointer Dereference

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled.

Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service.

If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token.

By default, the client address validation is enabled in the OpenSSL QUIC server implementation, which makes the default configuration not vulnerable to this issue. However if the SSL_LISTENER_FLAG_NO_VALIDATE is used with the SSL_new_listener() call, the address validation is disabled making the vulnerable code reachable.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

NULL Pointer Dereference vulnerability report

medium severity

new

NULL Pointer Dereference

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Receiving a QUIC initial packet with an invalid token may trigger a NULL pointer dereference in the OpenSSL QUIC server with address validation disabled.

Impact summary: NULL pointer dereference typically causes abnormal termination of the affected QUIC server process and a Denial of Service.

If the address validation is disabled in the OpenSSL QUIC server implementation, an attacker can crash the server by sending an initial packet with an invalid or expired token.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

NULL Pointer Dereference vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Buffer Access with Incorrect Length Value

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Buffer Access with Incorrect Length Value vulnerability report

medium severity

Information Exposure

Vulnerable module: platform-python-pip
Introduced through: platform-python-pip@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python-pip@9.0.3-20.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream platform-python-pip package and not the platform-python-pip package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5.

Remediation

There is no fixed version for RHEL:8 platform-python-pip.

References

Information Exposure vulnerability report

medium severity

Incorrect Regular Expression

Vulnerable module: platform-python-setuptools
Introduced through: platform-python-setuptools@39.2.0-6.el8
Fixed in: 0:39.2.0-6.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python-setuptools@39.2.0-6.el8

NVD Description

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Remediation

Upgrade RHEL:8 platform-python-setuptools to version 0:39.2.0-6.el8_7.1 or higher.
This issue was patched in RHSA-2023:0835.

References

Incorrect Regular Expression vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Buffer Access with Incorrect Length Value

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

When an Expat parser with a registered ElementDeclHandler parses an inline document type definition containing a deeply nested content model a C stack overflow occurs.

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Buffer Access with Incorrect Length Value vulnerability report

medium severity

Information Exposure

Vulnerable module: python3-pip-wheel
Introduced through: python3-pip-wheel@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-pip-wheel@9.0.3-20.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream python3-pip-wheel package and not the python3-pip-wheel package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

There is no fixed version for RHEL:8 python3-pip-wheel.

References

Information Exposure vulnerability report

medium severity

Incorrect Regular Expression

Vulnerable module: python3-setuptools-wheel
Introduced through: python3-setuptools-wheel@39.2.0-6.el8
Fixed in: 0:39.2.0-6.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-setuptools-wheel@39.2.0-6.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-setuptools-wheel to version 0:39.2.0-6.el8_7.1 or higher.
This issue was patched in RHSA-2023:0835.

References

Incorrect Regular Expression vulnerability report

medium severity

Improper Validation of Array Index

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8
Fixed in: 0:3.26.0-17.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

Remediation

Upgrade RHEL:8 sqlite-libs to version 0:3.26.0-17.el8_7 or higher.
This issue was patched in RHSA-2023:0110.

References

Improper Validation of Array Index vulnerability report

medium severity

Man-in-the-Middle (MitM)

Vulnerable module: systemd-libs
Introduced through: systemd-libs@239-51.el8_5.3
Fixed in: 0:239-82.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › systemd-libs@239-51.el8_5.3

NVD Description

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

Remediation

Upgrade RHEL:8 systemd-libs to version 0:239-82.el8 or higher.
This issue was patched in RHSA-2024:3203.

References

Man-in-the-Middle (MitM) vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: libcom_err
Introduced through: libcom_err@1.45.6-2.el8
Fixed in: 0:1.45.6-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcom_err@1.45.6-2.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream libcom_err package and not the libcom_err package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.

Remediation

Upgrade RHEL:8 libcom_err to version 0:1.45.6-5.el8 or higher.
This issue was patched in RHSA-2022:7720.

References

Out-of-bounds Write vulnerability report

medium severity

Information Exposure

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.

If the hostname that the first request is redirected to has information in the used .netrc file, with either of the machine or default keywords, curl would pass on the bearer token set for the first host also to the second one.

Remediation

There is no fixed version for RHEL:8 curl.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a redirect to a second URL, curl could leak that token to the second hostname under some circumstances.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Information Exposure vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-169.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in GLib (Gnome Lib). This vulnerability allows a remote attacker to cause heap corruption, leading to a denial of service or potential code execution via a buffer-underflow in the GVariant parser when processing maliciously crafted input strings.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-169.el8_10 or higher.
This issue was patched in RHSA-2026:15953.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Heap-based Buffer Overflow

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17 and 21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

Remediation

There is no fixed version for RHEL:8 java-11-openjdk-headless.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Return of Wrong Status Code

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2
Fixed in: 0:2.9.7-20.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

Remediation

Upgrade RHEL:8 libxml2 to version 0:2.9.7-20.el8_10 or higher.
This issue was patched in RHSA-2025:8958.

References

Return of Wrong Status Code vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-14.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write.

Impact summary: This out-of-bounds read may trigger a crash which leads to Denial of Service for an application. The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service or Execution of attacker-supplied code.

Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low. Besides, password based (PWRI) encryption support in CMS messages is very rarely used. For that reason the issue was assessed as Moderate severity according to our Security Policy.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-14.el8_10 or higher.
This issue was patched in RHSA-2026:0337.

References

Out-of-bounds Write vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-14.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: An application trying to decrypt CMS messages encrypted using password based encryption can trigger an out-of-bounds read and write.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary.

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-14.el8_10 or higher.
This issue was patched in RHSA-2026:0337.

References

Out-of-bounds Write vulnerability report

medium severity

Directory Traversal

Vulnerable module: tar
Introduced through: tar@2:1.30-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › tar@2:1.30-5.el8

NVD Description

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for RHEL:8 tar.

References

Directory Traversal vulnerability report

medium severity

Improper Validation of Consistency within Input

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. Prior to version 0.9-rc4, any unprivileged local user can crash avahi-daemon by sending a single D-Bus method call with conflicting publish flags. This issue has been patched in version 0.9-rc4.

Remediation

There is no fixed version for RHEL:8 avahi-libs.

References

Improper Validation of Consistency within Input vulnerability report

medium severity

Reachable Assertion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In 0.9-rc2 and earlier, an unprivileged local users can crash avahi-daemon (with wide-area disabled) by creating record browsers with the AVAHI_LOOKUP_USE_WIDE_AREA flag set via D-Bus. This can be done by either calling the RecordBrowserNew method directly or creating hostname/address/service resolvers/browsers that create those browsers internally themselves.

Remediation

There is no fixed version for RHEL:8 avahi-libs.

References

Reachable Assertion vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions up to and including 0.9-rc2, the simple protocol server ignores the documented client limit and accepts unlimited connections, allowing for easy local DoS. Although CLIENTS_MAX is defined, server_work() unconditionally accept()s and client_new() always appends the new client and increments n_clients. There is no check against the limit. When client cannot be accepted as a result of maximal socket number of avahi-daemon, it logs unconditionally error per each connection. Unprivileged local users can exhaust daemon memory and file descriptors, causing a denial of service system-wide for mDNS/DNS-SD. Exhausting local file descriptors causes increased system load caused by logging errors of each of request. Overloading prevents glibc calls using nss-mdns plugins to resolve *.local. names and link-local addresses. As of time of publication, no known patched versions are available, but a candidate fix is available in pull request 808, and some workarounds are available. Simple clients are offered for nss-mdns package functionality. It is not possible to disable the unix socket /run/avahi-daemon/socket, but resolution requests received via DBus are not affected directly. Tools avahi-resolve, avahi-resolve-address and avahi-resolve-host-name are not affected, they use DBus interface. It is possible to change permissions of unix socket after avahi-daemon is started. But avahi-daemon does not provide any configuration for it. Additional access restrictions like SELinux can also prevent unwanted tools to access the socket and keep resolution working for trusted users.

Remediation

There is no fixed version for RHEL:8 avahi-libs.

References

Resource Exhaustion vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.16

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.16 or higher.
This issue was patched in RHSA-2025:3828.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.16

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.16 or higher.
This issue was patched in RHSA-2025:3828.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.16

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.16 or higher.
This issue was patched in RHSA-2025:3828.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.16

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.16 or higher.
This issue was patched in RHSA-2025:3828.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.17.0.8-2.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

An integer overflow in the component hb-ot-shape-fallback.cc of Harfbuzz v4.3.0 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.17.0.8-2.el8_6 or higher.
This issue was patched in RHSA-2022:7012.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: lcms2
Introduced through: lcms2@2.9-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › lcms2@2.9-2.el8

NVD Description

Little CMS (aka Little Color Management System) 2.9 has an integer overflow in the AllocateDataSet function in cmscgats.c, leading to a heap-based buffer overflow in the SetData function via a crafted file in the second argument to cmsIT8LoadFromFile.

Remediation

There is no fixed version for RHEL:8 lcms2.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).

Remediation

There is no fixed version for RHEL:8 libarchive.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a malformed ACL string (such as a bare "d" or "default" tag without subsequent fields), the function fails to perform adequate validation before advancing the pointer. An attacker can exploit this by providing a maliciously crafted archive, causing an application utilizing the libarchive API (such as bsdtar) to crash, resulting in a Denial of Service (DoS).

Remediation

There is no fixed version for RHEL:8 libarchive.

References

NULL Pointer Dereference vulnerability report

medium severity

Improper Input Validation

Vulnerable module: lua
Introduced through: lua@5.3.4-12.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › lua@5.3.4-12.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream lua package and not the lua package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Lua 5.4.0 (fixed in 5.4.1) has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.

Remediation

There is no fixed version for RHEL:8 lua.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

Vulnerable module: lua-libs
Introduced through: lua-libs@5.3.4-12.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › lua-libs@5.3.4-12.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream lua-libs package and not the lua-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Remediation

There is no fixed version for RHEL:8 lua-libs.

References

Improper Input Validation vulnerability report

medium severity

Directory Traversal

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-56.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in filenames in a TAR archive, a related issue to CVE-2001-1267.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-56.el8_9 or higher.
This issue was patched in RHSA-2023:7151.

References

Directory Traversal vulnerability report

medium severity

Directory Traversal

Vulnerable module: platform-python-pip
Introduced through: platform-python-pip@9.0.3-20.el8
Fixed in: 0:9.0.3-23.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python-pip@9.0.3-20.el8

NVD Description

Remediation

Upgrade RHEL:8 platform-python-pip to version 0:9.0.3-23.el8 or higher.
This issue was patched in RHSA-2023:7176.

References

Directory Traversal vulnerability report

medium severity

Directory Traversal

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-56.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-56.el8_9 or higher.
This issue was patched in RHSA-2023:7151.

References

Directory Traversal vulnerability report

medium severity

Directory Traversal

Vulnerable module: python3-pip-wheel
Introduced through: python3-pip-wheel@9.0.3-20.el8
Fixed in: 0:9.0.3-23.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-pip-wheel@9.0.3-20.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-pip-wheel to version 0:9.0.3-23.el8 or higher.
This issue was patched in RHSA-2023:7176.

References

Directory Traversal vulnerability report

medium severity

Information Exposure

Vulnerable module: systemd-libs
Introduced through: systemd-libs@239-51.el8_5.3
Fixed in: 0:239-68.el8_7.4

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › systemd-libs@239-51.el8_5.3

NVD Description

A vulnerability was found in systemd. This security flaw can cause a local information leak due to systemd-coredump not respecting the fs.suid_dumpable kernel setting.

Remediation

Upgrade RHEL:8 systemd-libs to version 0:239-68.el8_7.4 or higher.
This issue was patched in RHSA-2023:0837.

References

Information Exposure vulnerability report

medium severity

Off-by-one Error

Vulnerable module: systemd-libs
Introduced through: systemd-libs@239-51.el8_5.3
Fixed in: 0:239-68.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › systemd-libs@239-51.el8_5.3

NVD Description

An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.

Remediation

Upgrade RHEL:8 systemd-libs to version 0:239-68.el8_7.1 or higher.
This issue was patched in RHSA-2023:0100.

References

Off-by-one Error vulnerability report

medium severity

Out-of-Bounds

Vulnerable module: tar
Introduced through: tar@2:1.30-5.el8
Fixed in: 2:1.30-6.el8_7.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › tar@2:1.30-5.el8

NVD Description

GNU Tar through 1.34 has a one-byte out-of-bounds read that results in use of uninitialized memory for a conditional jump. Exploitation to change the flow of control has not been demonstrated. The issue occurs in from_header in list.c via a V7 archive in which mtime has approximately 11 whitespace characters.

Remediation

Upgrade RHEL:8 tar to version 2:1.30-6.el8_7.1 or higher.
This issue was patched in RHSA-2023:0842.

References

Out-of-Bounds vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable.

Remediation

There is no fixed version for RHEL:8 glib2.

References

Out-of-bounds Write vulnerability report

medium severity

Incomplete Filtering of Special Elements

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Incomplete Filtering of Special Elements vulnerability report

medium severity

Incomplete Filtering of Special Elements

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Incomplete Filtering of Special Elements vulnerability report

medium severity

Small Space of Random Values

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.

Remediation

There is no fixed version for RHEL:8 avahi-libs.

References

Small Space of Random Values vulnerability report

medium severity

Use of Insufficiently Random Values

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

A flaw was found in Avahi-daemon, which relies on fixed source ports for wide-area DNS queries. This issue simplifies attacks where malicious DNS responses are injected.

Remediation

There is no fixed version for RHEL:8 avahi-libs.

References

Use of Insufficiently Random Values vulnerability report

medium severity

Buffer Overflow

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, there is a heap-based buffer overflow in the CUPS scheduler when building filter option strings from job attribute. At time of publication, there are no publicly available patches.

Remediation

There is no fixed version for RHEL:8 cups-libs.

References

Buffer Overflow vulnerability report

medium severity

Cleartext Transmission of Sensitive Information

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

A vulnerability exists where a connection requiring TLS incorrectly reuses an existing unencrypted connection from the same connection pool. If an initial transfer is made in clear-text (via IMAP, SMTP, or POP3), a subsequent request to that same host bypasses the TLS requirement and instead transmit data unencrypted.

Remediation

There is no fixed version for RHEL:8 curl.

References

Cleartext Transmission of Sensitive Information vulnerability report

medium severity

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.4

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-22.el8_6.4 or higher.
This issue was patched in RHSA-2022:6159.

References

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability report

medium severity

Information Exposure

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

curl might erroneously pass on credentials for a first proxy to a second proxy.

This can happen when the following conditions are true:

curl is setup to use specific different proxies for different URL schemes
the first proxy needs credentials
the second proxy uses no credentials
while using the first proxy (using say http://), curl is asked to follow a redirect to a URL using another scheme (say https://), accessed using a second, different, proxy

Remediation

There is no fixed version for RHEL:8 curl.

References

Information Exposure vulnerability report

medium severity

new

Information Exposure

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

Successfully using libcurl to do a transfer over a specific HTTP proxy (proxyA) with Digest authentication and then changing the proxy host to a second one (proxyB) for a second transfer, reusing the same handle, makes libcurl wrongly pass on the Proxy-Authorization: header field meant for proxyA, to proxyB.

Remediation

There is no fixed version for RHEL:8 curl.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-33.el8_9.5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains.

It could do this by exploiting a mixed case flaw in curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a cookie could be set with domain=co.UK when the URL used a lower case hostname curl.co.uk, even though co.uk is listed as a PSL domain.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-33.el8_9.5 or higher.
This issue was patched in RHSA-2024:1601.

References

Information Exposure vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-34.el8_10.9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

A cookie is set using the secure keyword for https://target
curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set
The same cookie name is set - but with just a slash as path (path=\"/\",). Since this site is not secure, the cookie should just be ignored.
A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to the wrong conclusion and lets the clear-text site override the contents of the secure cookie, contrary to expectations and depending on the memory contents immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-34.el8_10.9 or higher.
This issue was patched in RHSA-2025:23383.

References

Out-of-bounds Read vulnerability report

medium severity

CVE-2026-23865

Vulnerable module: freetype
Introduced through: freetype@2.9.1-4.el8_3.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › freetype@2.9.1-4.el8_3.1

NVD Description

An integer overflow in the tt_var_load_item_variation_store function of the Freetype library in versions 2.13.2 and 2.13.3 may allow for an out of bounds read operation when parsing HVAR/VVAR/MVAR tables in OpenType variable fonts. This issue is fixed in version 2.14.2.

Remediation

There is no fixed version for RHEL:8 freetype.

References

CVE-2026-23865 vulnerability report

medium severity

Reachable Assertion

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.37

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.37 or higher.
This issue was patched in RHSA-2026:20587.

References

Reachable Assertion vulnerability report

medium severity

Use of Uninitialized Resource

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.31

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.31 or higher.
This issue was patched in RHSA-2026:4772.

References

Use of Uninitialized Resource vulnerability report

medium severity

Reachable Assertion

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.37

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.37 or higher.
This issue was patched in RHSA-2026:20587.

References

Reachable Assertion vulnerability report

medium severity

Use of Uninitialized Resource

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.31

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.31 or higher.
This issue was patched in RHSA-2026:4772.

References

Use of Uninitialized Resource vulnerability report

medium severity

Reachable Assertion

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.37

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.37 or higher.
This issue was patched in RHSA-2026:20587.

References

Reachable Assertion vulnerability report

medium severity

Use of Uninitialized Resource

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.31

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.31 or higher.
This issue was patched in RHSA-2026:4772.

References

Use of Uninitialized Resource vulnerability report

medium severity

Reachable Assertion

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.37

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.37 or higher.
This issue was patched in RHSA-2026:20587.

References

Reachable Assertion vulnerability report

medium severity

Use of Uninitialized Resource

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.31

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.31 or higher.
This issue was patched in RHSA-2026:4772.

References

Use of Uninitialized Resource vulnerability report

medium severity

Algorithmic Complexity

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.5 or higher.
This issue was patched in RHSA-2026:5585.

References

Algorithmic Complexity vulnerability report

medium severity

Algorithmic Complexity

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.3 or higher.
This issue was patched in RHSA-2025:4051.

References

Algorithmic Complexity vulnerability report

medium severity

Use of a Broken or Risky Cryptographic Algorithm

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_9.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in GnuTLS. The Minerva attack is a cryptographic vulnerability that exploits deterministic behavior in systems like GnuTLS, leading to side-channel leaks. In specific scenarios, such as when using the GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE flag, it can result in a noticeable step in nonce size from 513 to 512 bits, exposing a potential timing side-channel.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_9.3 or higher.
This issue was patched in RHSA-2024:1784.

References

Use of a Broken or Risky Cryptographic Algorithm vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: harfbuzz
Introduced through: harfbuzz@1.7.5-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › harfbuzz@1.7.5-3.el8

NVD Description

HarfBuzz is a text shaping engine. Prior to version 12.3.0, a null pointer dereference vulnerability exists in the SubtableUnicodesCache::create function located in src/hb-ot-cmap-table.hh. The function fails to check if hb_malloc returns NULL before using placement new to construct an object at the returned pointer address. When hb_malloc fails to allocate memory (which can occur in low-memory conditions or when using custom allocators that simulate allocation failures), it returns NULL. The code then attempts to call the constructor on this null pointer using placement new syntax, resulting in undefined behavior and a Segmentation Fault. This issue has been patched in version 12.3.0.

Remediation

There is no fixed version for RHEL:8 harfbuzz.

References

NULL Pointer Dereference vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.17.0.8-2.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.17.0.8-2.el8_6 or higher.
This issue was patched in RHSA-2022:7012.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Buffer Overflow

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.17.0.8-2.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.17.0.8-2.el8_6 or higher.
This issue was patched in RHSA-2022:7012.

References

Buffer Overflow vulnerability report

medium severity

Deserialization of Untrusted Data

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Deserialization of Untrusted Data

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Improper Certificate Validation

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.21.0.9-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and 22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.21.0.9-2.el8 or higher.
This issue was patched in RHSA-2023:5742.

References

Improper Certificate Validation vulnerability report

medium severity

Improper Cross-boundary Removal of Sensitive Data

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Improper Cross-boundary Removal of Sensitive Data vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Out-of-bounds Write vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.17.0.8-2.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.17.0.8-2.el8_6 or higher.
This issue was patched in RHSA-2022:7012.

References

Resource Exhaustion vulnerability report

medium severity

Resource Exhaustion

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.18.0.10-2.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via DTLS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.18.0.10-2.el8_7 or higher.
This issue was patched in RHSA-2023:0200.

References

Resource Exhaustion vulnerability report

medium severity

Uncaught Exception

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Uncaught Exception vulnerability report

medium severity

XML External Entity (XXE) Injection

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

XML External Entity (XXE) Injection vulnerability report

medium severity

Cleartext Transmission of Sensitive Information

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Cleartext Transmission of Sensitive Information vulnerability report

medium severity

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.4

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-22.el8_6.4 or higher.
This issue was patched in RHSA-2022:6159.

References

Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability report

medium severity

Information Exposure

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

curl might erroneously pass on credentials for a first proxy to a second proxy.

This can happen when the following conditions are true:

curl is setup to use specific different proxies for different URL schemes
the first proxy needs credentials
the second proxy uses no credentials
while using the first proxy (using say http://), curl is asked to follow a redirect to a URL using another scheme (say https://), accessed using a second, different, proxy

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Information Exposure vulnerability report

medium severity

new

Information Exposure

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-33.el8_9.5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-33.el8_9.5 or higher.
This issue was patched in RHSA-2024:1601.

References

Information Exposure vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-34.el8_10.9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

A cookie is set using the secure keyword for https://target
curl is redirected to or otherwise made to speak with http://target (same hostname, but using clear text HTTP) using the same cookie set
The same cookie name is set - but with just a slash as path (path=\"/\",). Since this site is not secure, the cookie should just be ignored.
A bug in the path comparison logic makes curl read outside a heap buffer boundary

The presumed and correct behavior would be to plainly ignore the second set of the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-34.el8_10.9 or higher.
This issue was patched in RHSA-2025:23383.

References

Out-of-bounds Read vulnerability report

medium severity

Detection of Error Condition Without Action

Vulnerable module: libnghttp2
Introduced through: libnghttp2@1.33.0-3.el8_2.1
Fixed in: 0:1.33.0-6.el8_10.1

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libnghttp2@1.33.0-3.el8_2.1

NVD Description

nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.

Remediation

Upgrade RHEL:8 libnghttp2 to version 0:1.33.0-6.el8_10.1 or higher.
This issue was patched in RHSA-2024:4252.

References

Detection of Error Condition Without Action vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A weakness has been identified in libssh up to 0.11.3. The impacted element is the function sftp_extensions_get_name/sftp_extensions_get_data of the file src/sftp.c of the component SFTP Extension Name Handler. Executing a manipulation of the argument idx can lead to out-of-bounds read. The attack may be performed from remote. Upgrading to version 0.11.4 and 0.12.0 is sufficient to resolve this issue. This patch is called 855a0853ad3abd4a6cd85ce06fce6d8d4c7a0b60. You should upgrade the affected component.

Remediation

There is no fixed version for RHEL:8 libssh.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libssh-config.

References

Out-of-bounds Read vulnerability report

medium severity

Algorithmic Complexity

Vulnerable module: libtasn1
Introduced through: libtasn1@4.13-3.el8
Fixed in: 0:4.13-5.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libtasn1@4.13-3.el8

NVD Description

A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.

Remediation

Upgrade RHEL:8 libtasn1 to version 0:4.13-5.el8_10 or higher.
This issue was patched in RHSA-2025:4049.

References

Algorithmic Complexity vulnerability report

medium severity

Improper Certificate Validation

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

The function X509_VERIFY_PARAM_add0_policy() is documented to implicitly enable the certificate policy check when doing certificate verification. However the implementation of the function does not enable the check which allows certificates with invalid or incorrect policies to pass the certificate verification.

As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function.

Instead the applications that require OpenSSL to perform certificate policy check need to use X509_VERIFY_PARAM_set1_policies() or explicitly enable the policy check by calling X509_VERIFY_PARAM_set_flags() with the X509_V_FLAG_POLICY_CHECK flag argument.

Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Certificate Validation vulnerability report

medium severity

Missing Required Cryptographic Step

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-7.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. Fixed in OpenSSL 3.0.5 (Affected 3.0.0-3.0.4). Fixed in OpenSSL 1.1.1q (Affected 1.1.1-1.1.1p).

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-7.el8_6 or higher.
This issue was patched in RHSA-2022:5818.

References

Missing Required Cryptographic Step vulnerability report

medium severity

Improper Certificate Validation

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

As suddenly enabling the policy check could break existing deployments it was decided to keep the existing behavior of the X509_VERIFY_PARAM_add0_policy() function.

Certificate policy checks are disabled by default in OpenSSL and are not commonly used by applications.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Certificate Validation vulnerability report

medium severity

Missing Required Cryptographic Step

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-7.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-7.el8_6 or higher.
This issue was patched in RHSA-2022:5818.

References

Missing Required Cryptographic Step vulnerability report

medium severity

Arbitrary Code Injection

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-47.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-47.el8_6 or higher.
This issue was patched in RHSA-2022:6457.

References

Arbitrary Code Injection vulnerability report

medium severity

Improper Input Validation

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the characters "+/" will always be accepted, regardless of the value of "altchars" parameter, typically used to establish an "alternative base64 alphabet" such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues.

This behavior can only be insecure if your application uses an alternate base64 alphabet (without "+/"). If your application does not use the "altchars" parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet.

The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted "+" or "/" outside of altchars.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-56.el8_9.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-56.el8_9.3 or higher.
This issue was patched in RHSA-2024:0256.

References

Improper Input Validation vulnerability report

medium severity

new

Insufficient Entropy

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

xml.parsers.expat and xml.etree.ElementTree use insufficient entropy for Expat hash-flooding protection, which allows a crafted XML document to trigger hash flooding.\r\n\r\nFully mitigating this vulnerability requires both updating libexpat to 2.8.0 or later and applying this patch.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Insufficient Entropy vulnerability report

medium severity

new

Unchecked Input for Loop Condition

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

unicodedata.normalize() can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Unchecked Input for Loop Condition vulnerability report

medium severity

Unchecked Return Value

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-45.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

A flaw was found in Python, specifically in the FTP (File Transfer Protocol) client library in PASV (passive) mode. The issue is how the FTP client trusts the host from the PASV response by default. This flaw allows an attacker to set up a malicious FTP server that can trick FTP clients into connecting back to a given IP address and port. This vulnerability could lead to FTP client scanning ports, which otherwise would not have been possible.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-45.el8 or higher.
This issue was patched in RHSA-2022:1986.

References

Unchecked Return Value vulnerability report

medium severity

Open Redirect

Vulnerable module: platform-python-pip
Introduced through: platform-python-pip@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python-pip@9.0.3-20.el8

NVD Description

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.

Remediation

There is no fixed version for RHEL:8 platform-python-pip.

References

Open Redirect vulnerability report

medium severity

Open Redirect

Vulnerable module: platform-python-pip
Introduced through: platform-python-pip@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python-pip@9.0.3-20.el8

NVD Description

urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.

Remediation

There is no fixed version for RHEL:8 platform-python-pip.

References

Open Redirect vulnerability report

medium severity

Arbitrary Code Injection

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-47.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-47.el8_6 or higher.
This issue was patched in RHSA-2022:6457.

References

Arbitrary Code Injection vulnerability report

medium severity

Improper Input Validation

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-56.el8_9.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-56.el8_9.3 or higher.
This issue was patched in RHSA-2024:0256.

References

Improper Input Validation vulnerability report

medium severity

new

Insufficient Entropy

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Insufficient Entropy vulnerability report

medium severity

new

Unchecked Input for Loop Condition

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Unchecked Input for Loop Condition vulnerability report

medium severity

Unchecked Return Value

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-45.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-45.el8 or higher.
This issue was patched in RHSA-2022:1986.

References

Unchecked Return Value vulnerability report

medium severity

Open Redirect

Vulnerable module: python3-pip-wheel
Introduced through: python3-pip-wheel@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-pip-wheel@9.0.3-20.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-pip-wheel.

References

Open Redirect vulnerability report

medium severity

Open Redirect

Vulnerable module: python3-pip-wheel
Introduced through: python3-pip-wheel@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-pip-wheel@9.0.3-20.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-pip-wheel.

References

Open Redirect vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: xz-libs
Introduced through: xz-libs@5.2.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › xz-libs@5.2.4-3.el8

NVD Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Remediation

There is no fixed version for RHEL:8 xz-libs.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

External Control of File Name or Path

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a local unprivileged user can coerce cupsd into authenticating to an attacker-controlled localhost IPP service with a reusable Authorization: Local ... token. That token is enough to drive /admin/ requests on localhost, and the attacker can combine CUPS-Create-Local-Printer with printer-is-shared=true to persist a file:///... queue even though the normal FileDevice policy rejects such URIs. Printing to that queue gives an arbitrary root file overwrite; the PoC below uses that primitive to drop a sudoers fragment and demonstrate root command execution. At time of publication, there are no publicly available patches.

Remediation

There is no fixed version for RHEL:8 cups-libs.

References

External Control of File Name or Path vulnerability report

medium severity

Unrestricted Externally Accessible Lock

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8
Fixed in: 1:2.2.6-66.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. This issue has been patched in version 2.4.15.

Remediation

Upgrade RHEL:8 cups-libs to version 1:2.2.6-66.el8_10 or higher.
This issue was patched in RHSA-2026:0596.

References

Unrestricted Externally Accessible Lock vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.

Remediation

There is no fixed version for RHEL:8 expat.

References

NULL Pointer Dereference vulnerability report

medium severity

Small Space of Random Values

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.20.0.8-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.20.0.8-2.el8 or higher.
This issue was patched in RHSA-2023:4175.

References

Small Space of Random Values vulnerability report

medium severity

Use After Free

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

There is an issue in CPython when using bytes.decode("unicode_escape", error="ignore|replace"). If you are not using the "unicode_escape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode() call in a try-except catching the DecodeError.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Use After Free vulnerability report

medium severity

Use After Free

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Use After Free vulnerability report

medium severity

new

Off-by-one Error

Vulnerable module: bzip2-libs
Introduced through: bzip2-libs@1.0.6-26.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › bzip2-libs@1.0.6-26.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream bzip2-libs package and not the bzip2-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out‑of‑bounds write to a global buffer, resulting in memory corruption and a crash (denial of service).

This issue was fixed in bzip2 patch 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67

Remediation

There is no fixed version for RHEL:8 bzip2-libs.

References

Off-by-one Error vulnerability report

medium severity

Insufficiently Protected Credentials

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-22.el8_6.3 or higher.
This issue was patched in RHSA-2022:5313.

References

Insufficiently Protected Credentials vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

Remediation

There is no fixed version for RHEL:8 glibc.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.

A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.

Remediation

There is no fixed version for RHEL:8 glibc.

References

Out-of-bounds Read vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-common.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-common.

References

Out-of-bounds Read vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-langpack-en.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-langpack-en.

References

Out-of-bounds Read vulnerability report

medium severity

Incorrect Calculation of Buffer Size

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-minimal-langpack.

References

Incorrect Calculation of Buffer Size vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-minimal-langpack.

References

Out-of-bounds Read vulnerability report

medium severity

new

Integer Underflow

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

An integer underflow vulnerability was found in MIT krb5 in the berval2tl_data() function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c. The function performs an unsigned subtraction (bv_len - 2) without a prior bounds check. When bv_len is 0 or 1, the subtraction wraps to a large value which is then truncated to uint16_t, yielding 0xFFFE (65534) or 0xFFFF (65535). The subsequent malloc succeeds and memcpy reads up to 65534 bytes from a 0-1 byte buffer, resulting in a heap out-of-bounds read. The attack vector involves a malicious or compromised LDAP KDB backend returning a krbExtraData attribute with bv_len < 2, triggering the underflow when the KDC or kadmind reads principal data.

Remediation

There is no fixed version for RHEL:8 krb5-libs.

References

Integer Underflow vulnerability report

medium severity

Insufficiently Protected Credentials

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-22.el8_6.3 or higher.
This issue was patched in RHSA-2022:5313.

References

Insufficiently Protected Credentials vulnerability report

medium severity

Buffer Overflow

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function.

Remediation

There is no fixed version for RHEL:8 libpng.

References

Buffer Overflow vulnerability report

medium severity

Directory Traversal

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A malicious SCP server can send unexpected paths that could make the client application override local files outside of working directory. This could be misused to create malicious executable or configuration files and make the user execute them under specific consequences.

This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

Remediation

There is no fixed version for RHEL:8 libssh.

References

Directory Traversal vulnerability report

medium severity

Incorrect Calculation

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8
Fixed in: 0:0.9.6-16.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability.

Remediation

Upgrade RHEL:8 libssh to version 0:0.9.6-16.el8_10 or higher.
This issue was patched in RHSA-2025:21977.

References

Incorrect Calculation vulnerability report

medium severity

Directory Traversal

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

This is the same issue as in OpenSSH, tracked as CVE-2019-6111.

Remediation

There is no fixed version for RHEL:8 libssh-config.

References

Directory Traversal vulnerability report

medium severity

Incorrect Calculation

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8
Fixed in: 0:0.9.6-16.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

Upgrade RHEL:8 libssh-config to version 0:0.9.6-16.el8_10 or higher.
This issue was patched in RHSA-2025:21977.

References

Incorrect Calculation vulnerability report

medium severity

Unrestricted Upload of File with Dangerous Type

Vulnerable module: tar
Introduced through: tar@2:1.30-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › tar@2:1.30-5.el8

NVD Description

A flaw was found in tar. A remote attacker could exploit this vulnerability by crafting a malicious archive, leading to hidden file injection with fully attacker-controlled content. This bypasses pre-extraction inspection mechanisms, potentially allowing an attacker to introduce malicious files onto a system without detection.

Remediation

There is no fixed version for RHEL:8 tar.

References

Unrestricted Upload of File with Dangerous Type vulnerability report

medium severity

new

Improper Update of Reference Count

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

libexpat before 2.8.2 lacks handler call depth tracking for calls to XML_GetBuffer, XML_Parse, XML_ParseBuffer, XML_ParserFree, or XML_ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,

Remediation

There is no fixed version for RHEL:8 expat.

References

Improper Update of Reference Count vulnerability report

medium severity

Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When doing multi-threaded LDAPS transfers (LDAP over TLS) with libcurl, changing TLS options in one thread would inadvertently change them globally and therefore possibly also affect other concurrently setup transfers.

Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Remediation

There is no fixed version for RHEL:8 curl.

References

Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element vulnerability report

medium severity

Buffer Underflow

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-166.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in GLib, which is vulnerable to an integer overflow in the g_string_insert_unichar() function. When the position at which to insert the character is large, the position will overflow, leading to a buffer underwrite.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-166.el8_10 or higher.
This issue was patched in RHSA-2025:11327.

References

Buffer Underflow vulnerability report

medium severity

Buffer Overflow

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data as well as unauthorized read access to a subset of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

There is no fixed version for RHEL:8 java-11-openjdk-headless.

References

Buffer Overflow vulnerability report

medium severity

Signed to Unsigned Conversion Error

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.25.0.9-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.25.0.9-2.el8 or higher.
This issue was patched in RHSA-2024:8121.

References

Signed to Unsigned Conversion Error vulnerability report

medium severity

Signed to Unsigned Conversion Error

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Remediation

There is no fixed version for RHEL:8 java-11-openjdk-headless.

References

Signed to Unsigned Conversion Error vulnerability report

medium severity

Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Disabling certificate verification for a specific transfer could unintentionally disable the feature for other threads as well.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element vulnerability report

medium severity

Improper Authentication

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8
Fixed in: 0:0.9.6-10.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A vulnerability was found in libssh, where the authentication check of the connecting client can be bypassed in thepki_verify_data_signature function in memory allocation problems. This issue may happen if there is insufficient memory or the memory usage is limited. The problem is caused by the return value rc, which is initialized to SSH_ERROR and later rewritten to save the return value of the function call pki_key_check_hash_compatible. The value of the variable is not changed between this point and the cryptographic verification. Therefore any error between them calls goto error returning SSH_OK.

Remediation

Upgrade RHEL:8 libssh to version 0:0.9.6-10.el8_8 or higher.
This issue was patched in RHSA-2023:3839.

References

Improper Authentication vulnerability report

medium severity

Improper Authentication

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8
Fixed in: 0:0.9.6-10.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

Upgrade RHEL:8 libssh-config to version 0:0.9.6-10.el8_8 or higher.
This issue was patched in RHSA-2023:3839.

References

Improper Authentication vulnerability report

medium severity

CRLF Injection

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

CRLF Injection vulnerability report

medium severity

CRLF Injection

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

CRLF Injection vulnerability report

medium severity

CRLF Injection

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

CRLF Injection vulnerability report

medium severity

CRLF Injection

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

CRLF Injection vulnerability report

medium severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: libblkid
Introduced through: libblkid@2.32.1-28.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libblkid@2.32.1-28.el8

NVD Description

util-linux is a random collection of Linux utilities. Prior to version 2.41.4, a TOCTOU (Time-of-Check-Time-of-Use) vulnerability has been identified in the SUID binary /usr/bin/mount from util-linux. The mount binary, when setting up loop devices, validates the source file path with user privileges via fork() + setuid() + realpath(), but subsequently re-canonicalizes and opens it with root privileges (euid=0) without verifying that the path has not been replaced between both operations. Neither O_NOFOLLOW, nor inode comparison, nor post-open fstat() are employed. This allows a local unprivileged user to replace the source file with a symlink pointing to any root-owned file or device during the race window, causing the SUID binary to open and mount it as root. Exploitation requires an /etc/fstab entry with user,loop options whose path points to a directory where the attacker has write permission, and that /usr/bin/mount has the SUID bit set (the default configuration on virtually all Linux distributions). The impact is unauthorized read access to root-protected files and block devices, including backup images, disk volumes, and any file containing a valid filesystem. This issue has been patched in version 2.41.4.

Remediation

There is no fixed version for RHEL:8 libblkid.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

medium severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: libmount
Introduced through: libmount@2.32.1-28.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libmount@2.32.1-28.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libmount.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

medium severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: libsmartcols
Introduced through: libsmartcols@2.32.1-28.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libsmartcols@2.32.1-28.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libsmartcols.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.

Remediation

There is no fixed version for RHEL:8 libssh.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libssh-config.

References

NULL Pointer Dereference vulnerability report

medium severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: libuuid
Introduced through: libuuid@2.32.1-28.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libuuid@2.32.1-28.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libuuid.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

medium severity

Creation of Temporary File in Directory with Incorrect Permissions

Vulnerable module: platform-python-pip
Introduced through: platform-python-pip@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python-pip@9.0.3-20.el8

NVD Description

Requests is a HTTP library. Prior to version 2.33.0, the requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

Remediation

There is no fixed version for RHEL:8 platform-python-pip.

References

Creation of Temporary File in Directory with Incorrect Permissions vulnerability report

medium severity

Creation of Temporary File in Directory with Incorrect Permissions

Vulnerable module: python3-pip-wheel
Introduced through: python3-pip-wheel@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-pip-wheel@9.0.3-20.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-pip-wheel.

References

Creation of Temporary File in Directory with Incorrect Permissions vulnerability report

medium severity

Race Condition

Vulnerable module: systemd-libs
Introduced through: systemd-libs@239-51.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › systemd-libs@239-51.el8_5.3

NVD Description

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Remediation

There is no fixed version for RHEL:8 systemd-libs.

References

Race Condition vulnerability report

medium severity

Time-of-check Time-of-use (TOCTOU)

Vulnerable module: tar
Introduced through: tar@2:1.30-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › tar@2:1.30-5.el8

NVD Description

node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

Remediation

There is no fixed version for RHEL:8 tar.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

medium severity

Arbitrary Code Injection

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-73.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

User-controlled header names and values containing newlines can allow injecting HTTP headers.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-73.el8_10 or higher.
This issue was patched in RHSA-2026:2128.

References

Arbitrary Code Injection vulnerability report

medium severity

CRLF Injection

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

CRLF Injection vulnerability report

medium severity

Improper Neutralization

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Improper Neutralization vulnerability report

medium severity

Arbitrary Code Injection

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-73.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

User-controlled header names and values containing newlines can allow injecting HTTP headers.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-73.el8_10 or higher.
This issue was patched in RHSA-2026:2128.

References

Arbitrary Code Injection vulnerability report

medium severity

CRLF Injection

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

CRLF Injection vulnerability report

medium severity

Improper Neutralization

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Improper Neutralization vulnerability report

medium severity

Stack-based Buffer Overflow

Vulnerable module: coreutils-single
Introduced through: coreutils-single@8.30-12.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › coreutils-single@8.30-12.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils-single package and not the coreutils-single package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.

Remediation

There is no fixed version for RHEL:8 coreutils-single.

References

Stack-based Buffer Overflow vulnerability report

medium severity

Insecure Inherited Permissions

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8
Fixed in: 1:2.2.6-60.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.8 and earlier, when starting the cupsd server with a Listen configuration item pointing to a symbolic link, the cupsd process can be caused to perform an arbitrary chmod of the provided argument, providing world-writable access to the target. Given that cupsd is often running as root, this can result in the change of permission of any user or system files to be world writable. Given the aforementioned Ubuntu AppArmor context, on such systems this vulnerability is limited to those files modifiable by the cupsd process. In that specific case it was found to be possible to turn the configuration of the Listen argument into full control over the cupsd.conf and cups-files.conf configuration files. By later setting the User and Group arguments in cups-files.conf, and printing with a printer configured by PPD with a FoomaticRIPCommandLine argument, arbitrary user and group (not root) command execution could be achieved, which can further be used on Ubuntu systems to achieve full root command execution. Commit ff1f8a623e090dee8a8aadf12a6a4b25efac143d contains a patch for the issue.

Remediation

Upgrade RHEL:8 cups-libs to version 1:2.2.6-60.el8_10 or higher.
This issue was patched in RHSA-2024:4265.

References

Insecure Inherited Permissions vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: file-libs
Introduced through: file-libs@5.33-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › file-libs@5.33-20.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream file-libs package and not the file-libs package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

do_core_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printable, a different vulnerability than CVE-2018-10360.

Remediation

There is no fixed version for RHEL:8 file-libs.

References

Out-of-bounds Read vulnerability report

medium severity

Expired Pointer Dereference

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from png_get_PLTE, png_get_tRNS, or png_get_hIST back into the corresponding setter on the same png_struct/png_info pair causes the setter to read from freed memory and copy its contents into the replacement buffer. The setter frees the internal buffer before copying from the caller-supplied pointer, which now dangles. The freed region may contain stale data (producing silently corrupted chunk metadata) or data from subsequent heap allocations (leaking unrelated heap contents into the chunk struct). This vulnerability is fixed in 1.6.57.

Remediation

There is no fixed version for RHEL:8 libpng.

References

Expired Pointer Dereference vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to version 1.6.51, a heap buffer over-read vulnerability exists in libpng's png_do_quantize function when processing PNG files with malformed palette indices. The vulnerability occurs when palette_lookup array bounds are not validated against externally-supplied image data, allowing an attacker to craft a PNG file with out-of-range palette indices that trigger out-of-bounds memory access. This issue has been patched in version 1.6.51.

Remediation

There is no fixed version for RHEL:8 libpng.

References

Out-of-bounds Read vulnerability report

medium severity

Improper Verification of Cryptographic Signature

Vulnerable module: rpm
Introduced through: rpm@4.14.3-19.el8
Fixed in: 0:4.14.3-19.el8_5.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › rpm@4.14.3-19.el8

NVD Description

There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.

Remediation

Upgrade RHEL:8 rpm to version 0:4.14.3-19.el8_5.2 or higher.
This issue was patched in RHSA-2022:0368.

References

Improper Verification of Cryptographic Signature vulnerability report

medium severity

Improper Verification of Cryptographic Signature

Vulnerable module: rpm-libs
Introduced through: rpm-libs@4.14.3-19.el8
Fixed in: 0:4.14.3-19.el8_5.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › rpm-libs@4.14.3-19.el8

NVD Description

Remediation

Upgrade RHEL:8 rpm-libs to version 0:4.14.3-19.el8_5.2 or higher.
This issue was patched in RHSA-2022:0368.

References

Improper Verification of Cryptographic Signature vulnerability report

medium severity

Link Following

Vulnerable module: tar
Introduced through: tar@2:1.30-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › tar@2:1.30-5.el8

NVD Description

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify the permissions of arbitrary directories outside the extraction root. This issue has been fixed in version 0.4.45.

Remediation

There is no fixed version for RHEL:8 tar.

References

Link Following vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: alsa-lib
Introduced through: alsa-lib@1.2.5-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › alsa-lib@1.2.5-4.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream alsa-lib package and not the alsa-lib package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.

Remediation

There is no fixed version for RHEL:8 alsa-lib.

References

Out-of-bounds Write vulnerability report

medium severity

Insufficiently Protected Credentials

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-22.el8_6.3 or higher.
This issue was patched in RHSA-2022:5313.

References

Insufficiently Protected Credentials vulnerability report

medium severity

Insufficiently Protected Credentials

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-22.el8_6.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-22.el8_6.3 or higher.
This issue was patched in RHSA-2022:5313.

References

Insufficiently Protected Credentials vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8
Fixed in: 0:0.9.6-10.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.

Remediation

Upgrade RHEL:8 libssh to version 0:0.9.6-10.el8_8 or higher.
This issue was patched in RHSA-2023:3839.

References

NULL Pointer Dereference vulnerability report

medium severity

NULL Pointer Dereference

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8
Fixed in: 0:0.9.6-10.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

A NULL pointer dereference was found In libssh during re-keying with algorithm guessing. This issue may allow an authenticated client to cause a denial of service.

Remediation

Upgrade RHEL:8 libssh-config to version 0:0.9.6-10.el8_8 or higher.
This issue was patched in RHSA-2023:3839.

References

NULL Pointer Dereference vulnerability report

medium severity

Information Exposure

Vulnerable module: nss
Introduced through: nss@3.67.0-7.el8_5
Fixed in: 0:3.90.0-6.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss@3.67.0-7.el8_5

NVD Description

Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". This attack could potentially allow an attacker to recover the private key. This vulnerability affects Firefox < 121.

Remediation

Upgrade RHEL:8 nss to version 0:3.90.0-6.el8_9 or higher.
This issue was patched in RHSA-2024:0786.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: nss-softokn
Introduced through: nss-softokn@3.67.0-7.el8_5
Fixed in: 0:3.90.0-6.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn@3.67.0-7.el8_5

NVD Description

Remediation

Upgrade RHEL:8 nss-softokn to version 0:3.90.0-6.el8_9 or higher.
This issue was patched in RHSA-2024:0786.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: nss-softokn-freebl
Introduced through: nss-softokn-freebl@3.67.0-7.el8_5
Fixed in: 0:3.90.0-6.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn-freebl@3.67.0-7.el8_5

NVD Description

Remediation

Upgrade RHEL:8 nss-softokn-freebl to version 0:3.90.0-6.el8_9 or higher.
This issue was patched in RHSA-2024:0786.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: nss-sysinit
Introduced through: nss-sysinit@3.67.0-7.el8_5
Fixed in: 0:3.90.0-6.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-sysinit@3.67.0-7.el8_5

NVD Description

Remediation

Upgrade RHEL:8 nss-sysinit to version 0:3.90.0-6.el8_9 or higher.
This issue was patched in RHSA-2024:0786.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: nss-util
Introduced through: nss-util@3.67.0-7.el8_5
Fixed in: 0:3.90.0-6.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-util@3.67.0-7.el8_5

NVD Description

Remediation

Upgrade RHEL:8 nss-util to version 0:3.90.0-6.el8_9 or higher.
This issue was patched in RHSA-2024:0786.

References

Information Exposure vulnerability report

medium severity

Improper Handling of Length Parameter Inconsistency

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations.

Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

medium severity

Inefficient Regular Expression Complexity

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Inefficient Regular Expression Complexity vulnerability report

medium severity

Improper Handling of Length Parameter Inconsistency

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

medium severity

Inefficient Regular Expression Complexity

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Inefficient Regular Expression Complexity vulnerability report

medium severity

Information Exposure

Vulnerable module: systemd-libs
Introduced through: systemd-libs@239-51.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › systemd-libs@239-51.el8_5.3

NVD Description

systemd 242 changes the VT1 mode upon a logout, which allows attackers to read cleartext passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.

Remediation

There is no fixed version for RHEL:8 systemd-libs.

References

Information Exposure vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably.

Remediation

There is no fixed version for RHEL:8 glib2.

References

Out-of-bounds Write vulnerability report

medium severity

Double Free

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.25

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Remediation

Upgrade RHEL:8 glibc to version 0:2.28-251.el8_10.25 or higher.
This issue was patched in RHSA-2025:12980.

References

Double Free vulnerability report

medium severity

Double Free

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.25

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-common to version 0:2.28-251.el8_10.25 or higher.
This issue was patched in RHSA-2025:12980.

References

Double Free vulnerability report

medium severity

Double Free

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.25

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-langpack-en to version 0:2.28-251.el8_10.25 or higher.
This issue was patched in RHSA-2025:12980.

References

Double Free vulnerability report

medium severity

Double Free

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8
Fixed in: 0:2.28-251.el8_10.25

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

Upgrade RHEL:8 glibc-minimal-langpack to version 0:2.28-251.el8_10.25 or higher.
This issue was patched in RHSA-2025:12980.

References

Double Free vulnerability report

medium severity

Information Exposure

Vulnerable module: platform-python-pip
Introduced through: platform-python-pip@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python-pip@9.0.3-20.el8

NVD Description

urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although this behavior is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers. Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised. This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve this issue. Users unable to update should disable redirects for services that aren't expecting to respond with redirects with redirects=False and disable automatic redirects with redirects=False and handle 301, 302, and 303 redirects manually by stripping the HTTP request body.

Remediation

There is no fixed version for RHEL:8 platform-python-pip.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: python3-pip-wheel
Introduced through: python3-pip-wheel@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-pip-wheel@9.0.3-20.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-pip-wheel.

References

Information Exposure vulnerability report

medium severity

Expired Pointer Dereference

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, a use-after-free vulnerability exists in the CUPS scheduler (cupsd) when temporary printers are automatically deleted. cupsdDeleteTemporaryPrinters() in scheduler/printers.c calls cupsdDeletePrinter() without first expiring subscriptions that reference the printer, leaving cupsd_subscription_t.dest as a dangling pointer to freed heap memory. The dangling pointer is subsequently dereferenced at multiple code sites, causing a crash (denial of service) of the cupsd daemon. With heap grooming, this can be leveraged for code execution.

Remediation

There is no fixed version for RHEL:8 cups-libs.

References

Expired Pointer Dereference vulnerability report

medium severity

Integer Underflow

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, an integer underflow vulnerability in _ppdCreateFromIPP() (cups/ppd-cache.c) allows any unprivileged local user to crash the cupsd root process by supplying a negative job-password-supported IPP attribute. The bounds check only caps the upper bound, so a negative value passes validation, is cast to size_t (wrapping to ~2^64), and is used as the length argument to memset() on a 33-byte stack buffer. This causes an immediate SIGSEGV in the cupsd root process. Combined with systemd's Restart=on-failure, an attacker can repeat the crash for sustained denial of service.

Remediation

There is no fixed version for RHEL:8 cups-libs.

References

Integer Underflow vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

libexpat before 2.7.5 allows an infinite loop while parsing DTD content.

Remediation

There is no fixed version for RHEL:8 expat.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Stack-based Buffer Overflow

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8
Fixed in: 0:3.6.16-8.el8_10.5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks.

Remediation

Upgrade RHEL:8 gnutls to version 0:3.6.16-8.el8_10.5 or higher.
This issue was patched in RHSA-2026:5585.

References

Stack-based Buffer Overflow vulnerability report

medium severity

Buffer Over-read

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

libarchive through 3.7.7 has a heap-based buffer over-read in header_gnu_longlink in archive_read_support_format_tar.c via a TAR archive because it mishandles truncation in the middle of a GNU long linkname.

Remediation

There is no fixed version for RHEL:8 libarchive.

References

Buffer Over-read vulnerability report

medium severity

Unchecked Return Value

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

Remediation

There is no fixed version for RHEL:8 libarchive.

References

Unchecked Return Value vulnerability report

medium severity

Improper Verification of Source of a Communication Channel

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8
Fixed in: 0:2.56.4-166.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.

Remediation

Upgrade RHEL:8 glib2 to version 0:2.56.4-166.el8_10 or higher.
This issue was patched in RHSA-2025:11327.

References

Improper Verification of Source of a Communication Channel vulnerability report

medium severity

Expected Behavior Violation

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-33.el8_9.5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously wasused to issue a PUT request which used that callback. This flaw may surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-33.el8_9.5 or higher.
This issue was patched in RHSA-2024:1601.

References

Expected Behavior Violation vulnerability report

medium severity

External Control of File Name or Path

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-33.el8_9.5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers.

libcurl provides a function call that duplicates en easy handle called curl_easy_duphandle.

If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl. And if using the correct file format of course.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-33.el8_9.5 or higher.
This issue was patched in RHSA-2024:1601.

References

External Control of File Name or Path vulnerability report

medium severity

Authentication Bypass

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.17.0.8-2.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.17.0.8-2.el8_6 or higher.
This issue was patched in RHSA-2022:7012.

References

Authentication Bypass vulnerability report

medium severity

Deserialization of Untrusted Data

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.14.0.9-2.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.14.0.9-2.el8_5 or higher.
This issue was patched in RHSA-2022:0185.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Directory Traversal

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.20.0.8-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.20.0.8-2.el8 or higher.
This issue was patched in RHSA-2023:4175.

References

Directory Traversal vulnerability report

medium severity

Improper Handling of Length Parameter Inconsistency

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.25.0.9-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.25.0.9-2.el8 or higher.
This issue was patched in RHSA-2024:8121.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

medium severity

Improper Output Neutralization for Logs

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.23.0.9-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.23.0.9-3.el8 or higher.
This issue was patched in RHSA-2024:1822.

References

Improper Output Neutralization for Logs vulnerability report

medium severity

Integer Coercion Error

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.17.0.8-2.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.17.0.8-2.el8_6 or higher.
This issue was patched in RHSA-2022:7012.

References

Integer Coercion Error vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.23.0.9-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.23.0.9-3.el8 or higher.
This issue was patched in RHSA-2024:1822.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Integer Overflow or Wraparound

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.25.0.9-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.25.0.9-2.el8 or higher.
This issue was patched in RHSA-2024:8121.

References

Integer Overflow or Wraparound vulnerability report

medium severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.20.0.8-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Utility). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.20.0.8-2.el8 or higher.
This issue was patched in RHSA-2023:4175.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

medium severity

Out-of-bounds Read

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.20.0.8-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.20.0.8-2.el8 or higher.
This issue was patched in RHSA-2023:4175.

References

Out-of-bounds Read vulnerability report

medium severity

Out-of-bounds Write

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.23.0.9-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.23.0.9-3.el8 or higher.
This issue was patched in RHSA-2024:1822.

References

Out-of-bounds Write vulnerability report

medium severity

Reliance on File Name or Extension of Externally-Supplied File

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.18.0.10-2.el8_7

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Sound). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.18.0.10-2.el8_7 or higher.
This issue was patched in RHSA-2023:0200.

References

Reliance on File Name or Extension of Externally-Supplied File vulnerability report

medium severity

Reliance on Reverse DNS Resolution for a Security-Critical Action

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.23.0.9-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.23.0.9-3.el8 or higher.
This issue was patched in RHSA-2024:1822.

References

Reliance on Reverse DNS Resolution for a Security-Critical Action vulnerability report

medium severity

Uncontrolled Memory Allocation

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.23.0.9-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.23.0.9-3.el8 or higher.
This issue was patched in RHSA-2024:1822.

References

Uncontrolled Memory Allocation vulnerability report

medium severity

Uncontrolled Memory Allocation

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.25.0.9-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.25.0.9-2.el8 or higher.
This issue was patched in RHSA-2024:8121.

References

Uncontrolled Memory Allocation vulnerability report

medium severity

Use of Insufficiently Random Values

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.17.0.8-2.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.17.0.8-2.el8_6 or higher.
This issue was patched in RHSA-2022:7012.

References

Use of Insufficiently Random Values vulnerability report

medium severity

Expected Behavior Violation

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-33.el8_9.5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-33.el8_9.5 or higher.
This issue was patched in RHSA-2024:1601.

References

Expected Behavior Violation vulnerability report

medium severity

External Control of File Name or Path

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-33.el8_9.5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met.

libcurl performs transfers. In its API, an application creates "easy handles" that are the individual handles for single transfers.

libcurl provides a function call that duplicates en easy handle called curl_easy_duphandle.

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-33.el8_9.5 or higher.
This issue was patched in RHSA-2024:1601.

References

External Control of File Name or Path vulnerability report

medium severity

Expected Behavior Violation

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-67.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries.

CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-67.el8_10 or higher.
This issue was patched in RHSA-2024:6975.

References

Expected Behavior Violation vulnerability report

medium severity

Improper Validation of Specified Type of Input

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8
Fixed in: 0:3.6.8-69.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Remediation

Upgrade RHEL:8 platform-python to version 0:3.6.8-69.el8_10 or higher.
This issue was patched in RHSA-2024:10779.

References

Improper Validation of Specified Type of Input vulnerability report

medium severity

Expected Behavior Violation

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-67.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior.

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-67.el8_10 or higher.
This issue was patched in RHSA-2024:6975.

References

Expected Behavior Violation vulnerability report

medium severity

Improper Validation of Specified Type of Input

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8
Fixed in: 0:3.6.8-69.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

Upgrade RHEL:8 python3-libs to version 0:3.6.8-69.el8_10 or higher.
This issue was patched in RHSA-2024:10779.

References

Improper Validation of Specified Type of Input vulnerability report

medium severity

Memory Leak

Vulnerable module: libcap
Introduced through: libcap@2.26-5.el8
Fixed in: 0:2.48-5.el8_8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcap@2.26-5.el8

NVD Description

A vulnerability was found in the pthread_create() function in libcap. This issue may allow a malicious actor to use cause __real_pthread_create() to return an error, which can exhaust the process memory.

Remediation

Upgrade RHEL:8 libcap to version 0:2.48-5.el8_8 or higher.
This issue was patched in RHSA-2023:4524.

References

Memory Leak vulnerability report

medium severity

Directory Traversal

Vulnerable module: java-11-openjdk-headless
Introduced through: java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5
Fixed in: 1:11.0.20.0.8-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › java-11-openjdk-headless@1:11.0.13.0.8-3.el8_5

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Remediation

Upgrade RHEL:8 java-11-openjdk-headless to version 1:11.0.20.0.8-2.el8 or higher.
This issue was patched in RHSA-2023:4175.

References

Directory Traversal vulnerability report

medium severity

Uncontrolled Recursion

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The legacy email.utils.parseaddr function in Python through 3.11.4 allows attackers to trigger "RecursionError: maximum recursion depth exceeded while calling a Python object" via a crafted argument. This argument is plausibly an untrusted value from an application's input data that was supposed to contain a name and an e-mail address. NOTE: email.utils.parseaddr is categorized as a Legacy API in the documentation of the Python email package. Applications should instead use the email.parser.BytesParser or email.parser.Parser class. NOTE: the vendor's perspective is that this is neither a vulnerability nor a bug. The email package is intended to have size limits and to throw an exception when limits are exceeded; they were exceeded by the example demonstration code.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Uncontrolled Recursion vulnerability report

medium severity

Uncontrolled Recursion

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Uncontrolled Recursion vulnerability report

low severity

Insufficient Verification of Data Authenticity

Vulnerable module: ca-certificates
Introduced through: ca-certificates@2021.2.50-80.0.el8_4
Fixed in: 0:2024.2.69_v8.0.303-80.0.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ca-certificates@2021.2.50-80.0.el8_4

NVD Description

Note: Versions mentioned in the description apply only to the upstream ca-certificates package and not the ca-certificates package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes "e-Tugra" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store.

Remediation

Upgrade RHEL:8 ca-certificates to version 0:2024.2.69_v8.0.303-80.0.el8_10 or higher.
This issue was patched in RHBA-2024:5736.

References

Insufficient Verification of Data Authenticity vulnerability report

low severity

Improperly Implemented Security Check for Standard

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When doing SSH-based transfers using either SCP or SFTP, and setting the known_hosts file, libcurl could still mistakenly accept connecting to hosts not present in the specified file if they were added as recognized in the libssh global known_hosts file.

Remediation

There is no fixed version for RHEL:8 curl.

References

Improperly Implemented Security Check for Standard vulnerability report

low severity

Improperly Implemented Security Check for Standard

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Improperly Implemented Security Check for Standard vulnerability report

low severity

Use of Less Trusted Source

Vulnerable module: platform-python-pip
Introduced through: platform-python-pip@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python-pip@9.0.3-20.el8

NVD Description

An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely

Remediation

There is no fixed version for RHEL:8 platform-python-pip.

References

Use of Less Trusted Source vulnerability report

low severity

Use of Less Trusted Source

Vulnerable module: python3-pip-wheel
Introduced through: python3-pip-wheel@9.0.3-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-pip-wheel@9.0.3-20.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-pip-wheel.

References

Use of Less Trusted Source vulnerability report

low severity

Arbitrary Command Injection

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8
Fixed in: 1:2.2.6-62.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

CUPS is a standards-based, open-source printing system, and libppd can be used for legacy PPD file support. The libppd function ppdCreatePPDFromIPP2 does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as cfGetPrinterAttributes5, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.

Remediation

Upgrade RHEL:8 cups-libs to version 1:2.2.6-62.el8_10 or higher.
This issue was patched in RHSA-2025:0083.

References

Arbitrary Command Injection vulnerability report

low severity

Improper Input Validation

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage.

Remediation

There is no fixed version for RHEL:8 sqlite-libs.

References

Improper Input Validation vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openldap
Introduced through: openldap@2.4.46-18.el8
Fixed in: 0:2.4.46-19.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openldap@2.4.46-18.el8

NVD Description

A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function.

Remediation

Upgrade RHEL:8 openldap to version 0:2.4.46-19.el8_10 or higher.
This issue was patched in RHSA-2024:4264.

References

NULL Pointer Dereference vulnerability report

low severity

Use After Free

Vulnerable module: dbus-libs
Introduced through: dbus-libs@1:1.12.8-14.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › dbus-libs@1:1.12.8-14.el8

NVD Description

A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors

Remediation

There is no fixed version for RHEL:8 dbus-libs.

References

Use After Free vulnerability report

low severity

Heap-based Buffer Overflow

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.

Remediation

There is no fixed version for RHEL:8 libarchive.

References

Heap-based Buffer Overflow vulnerability report

low severity

Information Exposure

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

Remediation

There is no fixed version for RHEL:8 curl.

References

Information Exposure vulnerability report

low severity

Deserialization of Untrusted Data

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in GLib. GVariant deserialization is vulnerable to a slowdown issue where a crafted GVariant can cause excessive processing, leading to denial of service.

Remediation

There is no fixed version for RHEL:8 glib2.

References

Deserialization of Untrusted Data vulnerability report

low severity

Resource Exhaustion

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in GLib. GVariant deserialization is vulnerable to an exponential blowup issue where a crafted GVariant can cause excessive processing, leading to denial of service.

Remediation

There is no fixed version for RHEL:8 glib2.

References

Resource Exhaustion vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A NULL pointer dereference flaw was found in GnuTLS. As Nettle's hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances.

Remediation

There is no fixed version for RHEL:8 gnutls.

References

NULL Pointer Dereference vulnerability report

low severity

Information Exposure

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Information Exposure vulnerability report

low severity

Heap-based Buffer Overflow

Vulnerable module: ncurses-base
Introduced through: ncurses-base@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-base@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-base.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

Vulnerable module: ncurses-base
Introduced through: ncurses-base@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-base@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-base.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

Vulnerable module: ncurses-base
Introduced through: ncurses-base@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-base@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-base.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

Vulnerable module: ncurses-base
Introduced through: ncurses-base@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-base@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-base.

References

Heap-based Buffer Overflow vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: ncurses-base
Introduced through: ncurses-base@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-base@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-base.

References

Out-of-bounds Read vulnerability report

low severity

Resource Exhaustion

Vulnerable module: ncurses-base
Introduced through: ncurses-base@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-base@6.1-9.20180224.el8

NVD Description

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

There is no fixed version for RHEL:8 ncurses-base.

References

Resource Exhaustion vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: ncurses-base
Introduced through: ncurses-base@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-base@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-base.

References

Stack-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

Vulnerable module: ncurses-libs
Introduced through: ncurses-libs@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-libs@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1100 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-libs.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

Vulnerable module: ncurses-libs
Introduced through: ncurses-libs@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-libs@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in postprocess_terminfo function in tinfo/parse_entry.c:997 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-libs.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

Vulnerable module: ncurses-libs
Introduced through: ncurses-libs@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-libs@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in one_one_mapping function in progs/dump_entry.c:1373 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-libs.

References

Heap-based Buffer Overflow vulnerability report

low severity

Heap-based Buffer Overflow

Vulnerable module: ncurses-libs
Introduced through: ncurses-libs@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-libs@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in _nc_find_entry in tinfo/comp_hash.c:70 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-libs.

References

Heap-based Buffer Overflow vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: ncurses-libs
Introduced through: ncurses-libs@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-libs@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in _nc_find_entry function in tinfo/comp_hash.c:66 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-libs.

References

Out-of-bounds Read vulnerability report

low severity

Resource Exhaustion

Vulnerable module: ncurses-libs
Introduced through: ncurses-libs@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-libs@6.1-9.20180224.el8

NVD Description

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

There is no fixed version for RHEL:8 ncurses-libs.

References

Resource Exhaustion vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: ncurses-libs
Introduced through: ncurses-libs@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-libs@6.1-9.20180224.el8

NVD Description

Buffer Overflow vulnerability in fmt_entry function in progs/dump_entry.c:1116 in ncurses 6.1 allows remote attackers to cause a denial of service via crafted command.

Remediation

There is no fixed version for RHEL:8 ncurses-libs.

References

Stack-based Buffer Overflow vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function.

Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files.

The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure.

Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

NULL Pointer Dereference vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow.

Impact summary: Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service.

An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers - most of which have no size limit. OBJ_obj2txt() may be used to translate an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL type ASN1_OBJECT) to its canonical numeric text form, which are the sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by periods.

When one of the sub-identifiers in the OBJECT IDENTIFIER is very large (these are sizes that are seen as absurdly large, taking up tens or hundreds of KiBs), the translation to a decimal number in text may take a very long time. The time complexity is O(n^2) with 'n' being the size of the sub-identifiers in bytes (*).

With OpenSSL 3.0, support to fetch cryptographic algorithms using names / identifiers in string form was introduced. This includes using OBJECT IDENTIFIERs in canonical numeric text form as identifiers for fetching algorithms.

Such OBJECT IDENTIFIERs may be received through the ASN.1 structure AlgorithmIdentifier, which is commonly used in multiple protocols to specify what cryptographic algorithm should be used to sign or verify, encrypt or decrypt, or digest passed data.

Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low.

In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS. It also impacts anything that processes X.509 certificates, including simple things like verifying its signature.

The impact on TLS is relatively low, because all versions of OpenSSL have a 100KiB limit on the peer's certificate chain. Additionally, this only impacts clients, or servers that have explicitly enabled client authentication.

In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Resource Exhaustion vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function.

Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

NULL Pointer Dereference vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow.

Applications that call OBJ_obj2txt() directly with untrusted data are affected, with any version of OpenSSL. If the use is for the mere purpose of display, the severity is considered low.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Resource Exhaustion vulnerability report

low severity

new

Improper Verification of Cryptographic Signature

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue Summary: The PKCS#12 file processing fails to perform sufficient input validation for files that use Password-Based Message Authentication Code 1 (PBMAC1) integrity mechanism allowing a certificate and private key forgery.

Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability.

If a service accepting PKCS#12 files is using passwords for authenticating the received files, the attacker can create unencrypted PKCS#12 files that use PBMAC1 authentication that specifies an HMAC key of only one byte, allowing them to craft a file that will be accepted with a 1 in 256 probability. That would then cause the service to accept a certificate and private key controlled by the attacker.

The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Verification of Cryptographic Signature vulnerability report

low severity

new

Information Exposure

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: The CMS_decrypt and PKCS7_decrypt functions are vulnerable to Bleichenbacher-style attack when an attacker is able to provide the CMS or S/MIME messages and observe the error code and/or decryption output.

Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key.

The attack is possible in 2 variants.

The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success.

An attacker who authors a message with two KTRI entries — the first one wrapping a real CEK under the victim's public key, the second with an arbitrary probe ciphertext — obtains opportunity to iterate the 2nd KTRI to get a valid PKCS#1 v1.5 padding if the error code of the application is available.

That is a Bleichenbacher oracle (Bleichenbacher, CRYPTO '98): an adaptive-chosen-ciphertext side channel from which the attacker decrypts any RSA ciphertext to the victim's key or forges any PKCS#1 v1.5 signature under it.

When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted.

An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle.

We are not aware of any applications that provide a remote attacker an opportunity to mount an attack described in these scenarios. We consider the existence of such application very unlikely, and for this reason this CVE has been evaluated as Low severity.

To avoid these attacks, when RSA PKCS#1 v1.5 Key Transport is in use, the invoked EVP_PKEY_decrypt() will use the implicit rejection mechanism described in draft-irtf-cfrg-rsa-guidance. In previous OpenSSL releases the implicit rejection was explicitly disabled.

The implicit rejection mechanism always returns a plaintext value, the symmetric key. This result is deterministic for the ciphertext and the private key. The length of the decryption result can happen to match the length of the key of the symmetric cipher that was used for the content encryption. When a certificate is not provided, the last RecipientInfo producing a key that looks valid will be used. It may cause getting garbage content on decryption. As a proper way to deal with this a recipient certificate has to be provided to identify the particular RecipientInfo for decryption.

The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Information Exposure vulnerability report

low severity

new

Improper Verification of Cryptographic Signature

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Impact Summary: An attacker impersonating a user can cause a service reading PKCS#12 files to accept forged certificates and private keys with a 1 in 256 probability.

The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Verification of Cryptographic Signature vulnerability report

low severity

new

Information Exposure

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Impact summary: The Bleichenbacher-style attack allows an attacker to use the victim's vulnerable application as a way to decrypt or sign messages with the victim's private RSA key.

The attack is possible in 2 variants.

The decryption API (CMS_decrypt(), PKCS7_decrypt()) is used without providing the recipient certificate. In this case OpenSSL iterates over every KeyTransRecipientInfo (KTRI) without stopping at the first success.

When the decryption API (CMS_decrypt(), PKCS7_decrypt()) is provided with the recipient certificate, and the recipient is not found, a random key is substituted.

An attacker who authors a message and is able to compare both error code and the result of the decryption, can mount a Bleichenbacher oracle.

The FIPS modules in 4.0, 3.6, 3.5, and 3.4 are not affected by this issue, as CMS and S/MIME processing happens outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Information Exposure vulnerability report

low severity

Deserialization of Untrusted Data

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in GLib. GVariant deserialization fails to validate that the input conforms to the expected format, leading to denial of service.

Remediation

There is no fixed version for RHEL:8 glib2.

References

Deserialization of Untrusted Data vulnerability report

low severity

Resource Exhaustion

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in glib, where the gvariant deserialization code is vulnerable to a denial of service introduced by additional input validation added to resolve CVE-2023-29499. The offset table validation may be very slow. This bug does not affect any released version of glib but does affect glib distributors who followed the guidance of glib developers to backport the initial fix for CVE-2023-29499.

Remediation

There is no fixed version for RHEL:8 glib2.

References

Resource Exhaustion vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: gnupg2
Introduced through: gnupg2@2.2.20-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnupg2@2.2.20-2.el8

NVD Description

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

Remediation

There is no fixed version for RHEL:8 gnupg2.

References

Out-of-bounds Write vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: gawk
Introduced through: gawk@4.2.1-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gawk@4.2.1-2.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream gawk package and not the gawk package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

A heap out-of-bounds read flaw was found in builtin.c in the gawk package. This issue may lead to a crash and could be used to read sensitive information.

Remediation

There is no fixed version for RHEL:8 gawk.

References

Out-of-bounds Read vulnerability report

low severity

Information Exposure

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

Remediation

There is no fixed version for RHEL:8 curl.

References

Information Exposure vulnerability report

low severity

Use After Free

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-30.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

A use after free vulnerability exists in curl <7.87.0. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations. When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-30.el8 or higher.
This issue was patched in RHSA-2023:2963.

References

Use After Free vulnerability report

low severity

Memory Leak

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8
Fixed in: 0:1.18.2-27.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

Remediation

Upgrade RHEL:8 krb5-libs to version 0:1.18.2-27.el8_10 or higher.
This issue was patched in RHSA-2024:3268.

References

Memory Leak vulnerability report

low severity

Memory Leak

Vulnerable module: krb5-libs
Introduced through: krb5-libs@1.18.2-14.el8
Fixed in: 0:1.18.2-27.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › krb5-libs@1.18.2-14.el8

NVD Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

Remediation

Upgrade RHEL:8 krb5-libs to version 0:1.18.2-27.el8_10 or higher.
This issue was patched in RHSA-2024:3268.

References

Memory Leak vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8
Fixed in: 0:3.3.3-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

In libarchive before 3.6.2, the software does not check for an error after calling calloc function that can return with a NULL pointer if the function fails, which leads to a resultant NULL pointer dereference. NOTE: the discoverer cites this CWE-476 remark but third parties dispute the code-execution impact: "In rare circumstances, when NULL is equivalent to the 0x0 memory address and privileged code can access it, then writing or reading memory is possible, which may lead to code execution."

Remediation

Upgrade RHEL:8 libarchive to version 0:3.3.3-5.el8 or higher.
This issue was patched in RHSA-2023:3018.

References

NULL Pointer Dereference vulnerability report

low severity

Information Exposure

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but the entry either omits just the password or omits both login and password.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Information Exposure vulnerability report

low severity

Use After Free

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-30.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-30.el8 or higher.
This issue was patched in RHSA-2023:2963.

References

Use After Free vulnerability report

low severity

Buffer Overflow

Vulnerable module: libtasn1
Introduced through: libtasn1@4.13-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libtasn1@4.13-3.el8

NVD Description

Stack-based buffer overflow in libtasn1 version: v4.20.0. The function fails to validate the size of input data resulting in a buffer overflow in asn1_expend_octet_string.

Remediation

There is no fixed version for RHEL:8 libtasn1.

References

Buffer Overflow vulnerability report

low severity

Use After Free

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

libxml2 through 2.11.5 has a use-after-free that can only occur after a certain memory allocation fails. This occurs in xmlUnlinkNode in tree.c. NOTE: the vendor's position is "I don't think these issues are critical enough to warrant a CVE ID ... because an attacker typically can't control when memory allocations fail."

Remediation

There is no fixed version for RHEL:8 libxml2.

References

Use After Free vulnerability report

low severity

Improperly Implemented Security Check for Standard

Vulnerable module: nss
Introduced through: nss@3.67.0-7.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss@3.67.0-7.el8_5

NVD Description

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.

Remediation

There is no fixed version for RHEL:8 nss.

References

Improperly Implemented Security Check for Standard vulnerability report

low severity

Improperly Implemented Security Check for Standard

Vulnerable module: nss-softokn
Introduced through: nss-softokn@3.67.0-7.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn@3.67.0-7.el8_5

NVD Description

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.

Remediation

There is no fixed version for RHEL:8 nss-softokn.

References

Improperly Implemented Security Check for Standard vulnerability report

low severity

Improperly Implemented Security Check for Standard

Vulnerable module: nss-softokn-freebl
Introduced through: nss-softokn-freebl@3.67.0-7.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn-freebl@3.67.0-7.el8_5

NVD Description

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.

Remediation

There is no fixed version for RHEL:8 nss-softokn-freebl.

References

Improperly Implemented Security Check for Standard vulnerability report

low severity

Improperly Implemented Security Check for Standard

Vulnerable module: nss-sysinit
Introduced through: nss-sysinit@3.67.0-7.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-sysinit@3.67.0-7.el8_5

NVD Description

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.

Remediation

There is no fixed version for RHEL:8 nss-sysinit.

References

Improperly Implemented Security Check for Standard vulnerability report

low severity

Improperly Implemented Security Check for Standard

Vulnerable module: nss-util
Introduced through: nss-util@3.67.0-7.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-util@3.67.0-7.el8_5

NVD Description

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the TLS specification. To mitigate this vulnerability, Firefox disabled support for DHE ciphersuites.

Remediation

There is no fixed version for RHEL:8 nss-util.

References

Improperly Implemented Security Check for Standard vulnerability report

low severity

Access of Resource Using Incompatible Type ('Type Confusion')

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file.

Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.

The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash.

Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

low severity

new

Improper Certificate Validation

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual, which could lead to escalation of credentials from the Registration Authority (RA) level to the root Certification Authority (root CA) level.

Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate.

One of the parts of the Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA) key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new one.

The 'id-it-rootCaKeyUpdate' messages are expected to be processed with OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot') to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name and the algorithm OIDs were verified by other parts of the verification code).

An attacker who already has credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would accept as a new trust anchor.

Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity.

The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Certificate Validation vulnerability report

low severity

Improper Certificate Validation

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Certificate Validation vulnerability report

low severity

Improper Handling of Missing Special Element

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.

When a CMS EnvelopedData message that uses KeyAgreeRecipientInfo is processed, the optional parameters field of KeyEncryptionAlgorithmIdentifier is examined without checking for its presence. This results in a NULL pointer dereference if the field is missing.

Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Handling of Missing Special Element vulnerability report

low severity

new

Improper Validation of Integrity Check Value

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership.

Impact summary: A malicious peer which presents an X9.42 key carrying the victim's p and g parameters, a forged q = r (a small prime factor of the cofactor (p−1)/q_local), and a public value Y of order r can recover the victim's private key after a small number of key exchange attempts.

When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the subgroup membership check Y^q ≡ 1 (mod p) is performed using the peer's own q parameter, not the local key's q. The peer's domain parameters are then matched against the domain parameters of the private key, but the value of q is not compared.

A malicious peer who presents an X9.42 key carrying the victim's p, g, a forged q = r (a small prime factor of the cofactor), and a public value Y of order r passes all checks. The shared secret then takes only r distinct values, leaking priv mod r. Repeating for each small-prime factor of the cofactor and combining via CRT recovers the full private key (Lim–Lee / small-subgroup-confinement attack).

The realistic attack surface is narrow: principally CMP deployments with long-lived RA/CA DHX keys and bespoke enterprise or government applications using X9.42 DHX static keys with interactive protocols and therefore this issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Validation of Integrity Check Value vulnerability report

low severity

Improper Validation of Specified Type of Input

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data.

Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service.

The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash.

Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Validation of Specified Type of Input vulnerability report

low severity

new

Incorrect Calculation of Buffer Size

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: When CMS password-based decryption (RFC 3211 / PWRI key unwrap) processes attacker-supplied CMS data, an attacker-chosen stream-mode KEK cipher can trigger a heap out-of-bounds read in kek_unwrap_key().

Impact summary: A heap buffer over-read may trigger a crash which leads to Denial of Service for an application if the input buffer ends at a memory page boundary and the following page is unmapped. There is no information disclosure as the over-read bytes are not revealed to the attacker.

The key unwrapping function performs a check-byte test as specified in the RFC that reads 7 bytes from a heap allocation that is based on the wrapped key length from the message. There is a minimum length check based on the block length of the wrapping cipher. However the cipher is selected from an OID carried in the attacker's PWRI keyEncryptionAlgorithm with no requirement that the cipher be a block cipher. When an attacker selects a stream-mode cipher the guard will be ineffective and the allocated buffer containing the unwrapped key can be too small to fit the check-bytes specified in the RFC and a buffer over-read can happen.

Applications calling CMS_decrypt() or CMS_decrypt_set1_password() (equivalently openssl cms -decrypt -pwri_password ...) on untrusted CMS data are vulnerable to this issue. No password knowledge is required: the over-read happens during the unwrap attempt before any authentication succeeds.

The over-read is limited to a few bytes and is not written to output, so there is no information disclosure. Triggering a crash requires the allocation to border unmapped memory, which is unlikely with the normal allocator.

The FIPS modules are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Incorrect Calculation of Buffer Size vulnerability report

low severity

Information Exposure

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-14.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application.

The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists).

This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem.

In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur.

This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-14.el8_6 or higher.
This issue was patched in RHSA-2024:7848.

References

Information Exposure vulnerability report

low severity

Information Exposure

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-12.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

The openssl_private_decrypt function in PHP, when using PKCS1 padding (OPENSSL_PKCS1_PADDING, which is the default), is vulnerable to the Marvin Attack unless it is used with an OpenSSL version that includes the changes from this pull request: https://github.com/openssl/openssl/pull/13817 (rsa_pkcs1_implicit_rejection). These changes are part of OpenSSL 3.2 and have also been backported to stable versions of various Linux distributions, as well as to the PHP builds provided for Windows since the previous release. All distributors and builders should ensure that this version is used to prevent PHP from being vulnerable.

PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-12.el8_9 or higher.
This issue was patched in RHSA-2023:7877.

References

Information Exposure vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs.

Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service.

Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported.

As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity.

The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support.

The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing.

Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application.

When CRL processing and delta CRL processing is enabled during X.509 certificate verification, the delta CRL processing does not check whether the CRL Number extension is NULL before dereferencing it. When a malformed delta CRL file is being processed, this parameter can be NULL, causing a NULL pointer dereference.

Exploiting this issue requires the X509_V_FLAG_USE_DELTAS flag to be enabled in the verification context, the certificate being verified to contain a freshestCRL extension or the base CRL to have the EXFLAG_FRESHEST flag set, and an attacker to provide a malformed CRL to an application that processes it.

The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. For that reason the issue was assessed as Low severity according to our Security Policy.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

NULL Pointer Dereference vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

A security vulnerability has been identified in all supported versions

of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Resource Exhaustion vulnerability report

low severity

Access of Resource Using Incompatible Type ('Type Confusion')

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

low severity

new

Improper Certificate Validation

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Impact Summary: The Registration Autority could replace the root CA certificate for the CMP clients with an arbitrary root CA certificate.

Significant preconditions for the attack (having valid RA-level credentials) are the reason the issue was assigned Low severity.

The FIPS modules are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Certificate Validation vulnerability report

low severity

Improper Certificate Validation

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Certificate Validation vulnerability report

low severity

Improper Handling of Missing Special Element

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: During processing of a crafted CMS EnvelopedData message with KeyAgreeRecipientInfo a NULL pointer dereference can happen.

Impact summary: Applications that process attacker-controlled CMS data may crash before authentication or cryptographic operations occur resulting in Denial of Service.

Applications and services that call CMS_decrypt() on untrusted input (e.g., S/MIME processing or CMS-based protocols) are vulnerable.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Handling of Missing Special Element vulnerability report

low severity

new

Improper Validation of Integrity Check Value

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: When EVP_PKEY_derive_set_peer() is called with a DHX (X9.42) peer key, the peer key is not properly checked for the subgroup membership.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Validation of Integrity Check Value vulnerability report

low severity

Improper Validation of Specified Type of Input

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Validation of Specified Type of Input vulnerability report

low severity

new

Incorrect Calculation of Buffer Size

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

The FIPS modules are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Incorrect Calculation of Buffer Size vulnerability report

low severity

Information Exposure

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-14.el8_6

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available.

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-14.el8_6 or higher.
This issue was patched in RHSA-2024:7848.

References

Information Exposure vulnerability report

low severity

Information Exposure

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-12.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

PHP Windows builds for the versions 8.1.29, 8.2.20 and 8.3.8 and above include OpenSSL patches that fix the vulnerability.

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-12.el8_9 or higher.
This issue was patched in RHSA-2023:7877.

References

Information Exposure vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs.

Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service.

As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity.

The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support.

The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: When a delta CRL that contains a Delta CRL Indicator extension is processed a NULL pointer dereference might happen if the required CRL Number extension is missing.

Impact summary: A NULL pointer dereference can trigger a crash which leads to a Denial of Service for an application.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

NULL Pointer Dereference vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

A security vulnerability has been identified in all supported versions

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Resource Exhaustion vulnerability report

low severity

Information Exposure

Vulnerable module: avahi-libs
Introduced through: avahi-libs@0.7-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › avahi-libs@0.7-20.el8

NVD Description

avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to IPv6 unicast queries with source addresses that are not on-link, which allows remote attackers to cause a denial of service (traffic amplification) and may cause information leakage by obtaining potentially sensitive information from the responding device via port-5353 UDP packets. NOTE: this may overlap CVE-2015-2809.

Remediation

There is no fixed version for RHEL:8 avahi-libs.

References

Information Exposure vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms.

Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior.

If an attacker can supply a crafted X.509 certificate with an excessively large OCTET STRING value in extensions such as the Subject Key Identifier (SKID) or Authority Key Identifier (AKID) which are being converted to hex, the size of the buffer needed for the result is calculated as multiplication of the input length by 3. On 32 bit platforms, this multiplication may overflow resulting in the allocation of a smaller buffer and a heap buffer overflow.

Applications and services that print or log contents of untrusted X.509 certificates are vulnerable to this issue. As the certificates would have to have sizes of over 1 Gigabyte, printing or logging such certificates is a fairly unlikely operation and only 32 bit platforms are affected, this issue was assigned Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Converting an excessively large OCTET STRING value to a hexadecimal string leads to a heap buffer overflow on 32 bit platforms.

Impact summary: A heap buffer overflow may lead to a crash or possibly an attacker controlled code execution or other undefined behavior.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Integer Overflow or Wraparound vulnerability report

low severity

Use After Free

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations

Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications.

The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use.

The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use.

The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use.

While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited.

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Use After Free vulnerability report

low severity

Use After Free

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations

The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Use After Free vulnerability report

low severity

Resource Exhaustion

Vulnerable module: libgcc
Introduced through: libgcc@8.5.0-4.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libgcc@8.5.0-4.el8_5

NVD Description

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Remediation

There is no fixed version for RHEL:8 libgcc.

References

Resource Exhaustion vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: libjpeg-turbo
Introduced through: libjpeg-turbo@1.5.3-12.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libjpeg-turbo@1.5.3-12.el8

NVD Description

A crafted input file could cause a null pointer dereference in jcopy_sample_rows() when processed by libjpeg-turbo.

Remediation

There is no fixed version for RHEL:8 libjpeg-turbo.

References

NULL Pointer Dereference vulnerability report

low severity

Resource Exhaustion

Vulnerable module: libstdc++
Introduced through: libstdc++@8.5.0-4.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libstdc++@8.5.0-4.el8_5

NVD Description

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

Remediation

There is no fixed version for RHEL:8 libstdc++.

References

Resource Exhaustion vulnerability report

low severity

Buffer Over-read

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c.

Remediation

There is no fixed version for RHEL:8 libxml2.

References

Buffer Over-read vulnerability report

low severity

Improper Preservation of Permissions

Vulnerable module: libzstd
Introduced through: libzstd@1.4.4-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libzstd@1.4.4-1.el8

NVD Description

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.

Remediation

There is no fixed version for RHEL:8 libzstd.

References

Improper Preservation of Permissions vulnerability report

low severity

Out-of-Bounds

Vulnerable module: ncurses-base
Introduced through: ncurses-base@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-base@6.1-9.20180224.el8

NVD Description

An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.

Remediation

There is no fixed version for RHEL:8 ncurses-base.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

Vulnerable module: ncurses-libs
Introduced through: ncurses-libs@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-libs@6.1-9.20180224.el8

NVD Description

An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.

Remediation

There is no fixed version for RHEL:8 ncurses-libs.

References

Out-of-Bounds vulnerability report

low severity

Access of Resource Using Incompatible Type ('Type Confusion')

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file.

Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service.

A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read.

The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

low severity

Improper Validation of Specified Quantity in Input

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error.

Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated.

When the 'openssl dgst' command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath.

The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and library users are unaffected.

The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary.

OpenSSL 3.5 and 3.6 are vulnerable to this issue.

OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Validation of Specified Quantity in Input vulnerability report

low severity

new

Integer Overflow or Wraparound

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow.

Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour.

In ASN1_mbstring_copy() and ASN1_mbstring_ncopy() the destination size for Unicode output is computed in a signed int: by left shift of the input character count for BMPSTRING (UTF-16) and UNIVERSALSTRING (UTF-32), and by summing per-character byte counts for UTF8STRING. The calculation overflows when the input reaches around 2^30 characters. In the worst case (UNIVERSALSTRING at 2^30 characters) the size wraps to zero, OPENSSL_malloc(1) is called, and the subsequent character copy writes several gigabytes past the one-byte allocation.

X.509 certificate processing routes through ASN1_STRING_set_by_NID(), whose DIRSTRING_TYPE mask excludes UNIVERSALSTRING and whose per-NID size limits cap the input length; no network protocol or certificate-handling path in OpenSSL exercises the overflow. Triggering the bug requires an application that calls ASN1_mbstring_copy() or ASN1_mbstring_ncopy() directly, or registers a custom string type via ASN1_STRING_TABLE_add(), with attacker-controlled input on the order of half a gigabyte or more. For these reasons this issue was assigned Low severity.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Integer Overflow or Wraparound vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

NULL Pointer Dereference vulnerability report

low severity

Access of Resource Using Incompatible Type ('Type Confusion')

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file.

Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service.

A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read.

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

OpenSSL 1.0.2 is not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability report

low severity

Improper Validation of Specified Quantity in Input

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: The 'openssl dgst' command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error.

The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary.

OpenSSL 3.5 and 3.6 are vulnerable to this issue.

OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Validation of Specified Quantity in Input vulnerability report

low severity

new

Integer Overflow or Wraparound

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: A signed integer overflow when sizing the destination buffer for Unicode output in ASN1_mbstring_ncopy() can lead to a heap buffer overflow.

Impact summary: A heap buffer overflow may lead to a crash or possibly attacker controlled code execution or other undefined behaviour.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Integer Overflow or Wraparound vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

NULL Pointer Dereference vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: systemd-libs
Introduced through: systemd-libs@239-51.el8_5.3

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › systemd-libs@239-51.el8_5.3

NVD Description

A flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many nested directories are created in /tmp.

Remediation

There is no fixed version for RHEL:8 systemd-libs.

References

Uncontrolled Recursion vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

libcurl's ASN1 parser code has the GTime2str() function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the time fraction, leading to a strlen() getting performed on a pointer to a heap buffer area that is not (purposely) null terminated.

This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.

Remediation

There is no fixed version for RHEL:8 curl.

References

Out-of-bounds Read vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when CURLINFO_CERTINFO is used.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Out-of-bounds Read vulnerability report

low severity

Resource Exhaustion

Vulnerable module: libpng
Introduced through: libpng@2:1.6.34-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libpng@2:1.6.34-5.el8

NVD Description

png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.

Remediation

There is no fixed version for RHEL:8 libpng.

References

Resource Exhaustion vulnerability report

low severity

Excessive Iteration

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-12.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Checking excessively long DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check().

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-12.el8_9 or higher.
This issue was patched in RHSA-2023:7877.

References

Excessive Iteration vulnerability report

low severity

Improper Certificate Validation

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.

Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Certificate Validation vulnerability report

low severity

Missing Required Cryptographic Step

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-12.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.

Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service.

While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters.

Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q.

An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().

Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-12.el8_9 or higher.
This issue was patched in RHSA-2023:7877.

References

Missing Required Cryptographic Step vulnerability report

low severity

new

NULL Pointer Dereference

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application.

Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service.

An attacker controlling a CMP server (or acting as a man-in-the-middle) could craft a CMP response containing a CRMF (Certificate Request Message Format) CertRepMessage with an EncryptedValue structure where the symmAlg field has an algorithm OID but no parameters field. When the OpenSSL CMP client processes this response, the NULL dereference occurs, causing a crash of the CMP client.

Applications that process untrusted CMP/CRMF messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

NULL Pointer Dereference vulnerability report

low severity

new

NULL Pointer Dereference

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption.

Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service.

The CMS PasswordRecipientInfo.keyDerivationAlgorithm field is defined as OPTIONAL in the ASN.1 specification and may therefore be absent in specially crafted inputs. During the password-based CMS decryption the OpenSSL CMS implementation dereferences this field without first checking whether it was present.

An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service.

Applications that process password-encrypted CMS messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

NULL Pointer Dereference vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-12.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Checking excessively long DH keys or parameters may be very slow.

The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ('p' parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length.

However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack.

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option.

The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade RHEL:8 openssl to version 1:1.1.1k-12.el8_9 or higher.
This issue was patched in RHSA-2023:7877.

References

Resource Exhaustion vulnerability report

low severity

Excessive Iteration

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-12.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Checking excessively long DH keys or parameters may be very slow.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-12.el8_9 or higher.
This issue was patched in RHSA-2023:7877.

References

Excessive Iteration vulnerability report

low severity

Improper Certificate Validation

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks.

Policy processing is disabled by default but can be enabled by passing the -policy' argument to the command line utilities or by calling the X509_VERIFY_PARAM_set1_policies()' function.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Certificate Validation vulnerability report

low severity

Missing Required Cryptographic Step

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-12.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.

While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters.

Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q.

An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack.

Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application.

The OpenSSL SSL/TLS implementation is not affected by this issue.

The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-12.el8_9 or higher.
This issue was patched in RHSA-2023:7877.

References

Missing Required Cryptographic Step vulnerability report

low severity

new

NULL Pointer Dereference

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: An attacker-controlled CMP (Certificate Management Protocol) server could trigger a NULL pointer dereference in a CMP client application.

Impact summary: A NULL pointer dereference causes a crash of the application and a Denial of Service.

Applications that process untrusted CMP/CRMF messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

NULL Pointer Dereference vulnerability report

low severity

new

NULL Pointer Dereference

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: A specially crafted password-encrypted CMS message can trigger a NULL pointer dereference during CMS decryption.

Impact summary: This NULL pointer dereference leads to an application crash and a Denial of Service.

An attacker who supplies such a CMS message to an application performing password-based CMS decryption can trigger an application crash, leading to a Denial of Service.

Applications that process password-encrypted CMS messages may be affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

NULL Pointer Dereference vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8
Fixed in: 1:1.1.1k-12.el8_9

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Checking excessively long DH keys or parameters may be very slow.

An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulernable to a Denial of Service attack.

Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the '-check' option.

The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.

Remediation

Upgrade RHEL:8 openssl-libs to version 1:1.1.1k-12.el8_9 or higher.
This issue was patched in RHSA-2023:7877.

References

Resource Exhaustion vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: pcre2
Introduced through: pcre2@10.32-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › pcre2@10.32-2.el8

NVD Description

Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.

Remediation

There is no fixed version for RHEL:8 pcre2.

References

Integer Overflow or Wraparound vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

In SQLite 3.27.2, interleaving reads and writes in a single transaction with an fts5 virtual table will lead to a NULL Pointer Dereference in fts5ChunkIterate in sqlite3.c. This is related to ext/fts5/fts5_hash.c and ext/fts5/fts5_index.c.

Remediation

There is no fixed version for RHEL:8 sqlite-libs.

References

NULL Pointer Dereference vulnerability report

low severity

new

Integer Overflow or Wraparound

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms.

Impact summary: The heap buffer over-read may crash the application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated.

An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer.

Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected.

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Integer Overflow or Wraparound vulnerability report

low severity

new

Integer Overflow or Wraparound

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Integer Overflow or Wraparound vulnerability report

low severity

Race Condition

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Race Condition vulnerability report

low severity

Race Condition

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Race Condition vulnerability report

low severity

Arbitrary Code Injection

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8
Fixed in: 0:0.9.6-14.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter.

Remediation

Upgrade RHEL:8 libssh to version 0:0.9.6-14.el8 or higher.
This issue was patched in RHSA-2024:3233.

References

Arbitrary Code Injection vulnerability report

low severity

Arbitrary Code Injection

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8
Fixed in: 0:0.9.6-14.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

Upgrade RHEL:8 libssh-config to version 0:0.9.6-14.el8 or higher.
This issue was patched in RHSA-2024:3233.

References

Arbitrary Code Injection vulnerability report

low severity

Resource Exhaustion

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module.

When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Resource Exhaustion vulnerability report

low severity

Resource Exhaustion

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module.

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Resource Exhaustion vulnerability report

low severity

Authentication Bypass by Primary Weakness

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Remediation

There is no fixed version for RHEL:8 curl.

References

Authentication Bypass by Primary Weakness vulnerability report

low severity

Authentication Bypass by Primary Weakness

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent.

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Authentication Bypass by Primary Weakness vulnerability report

low severity

Out-of-Bounds

Vulnerable module: ncurses-base
Introduced through: ncurses-base@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-base@6.1-9.20180224.el8

NVD Description

In ncurses 6.1, there is a NULL pointer dereference at function _nc_parse_entry in parse_entry.c that will lead to a denial of service attack. The product proceeds to the dereference code path even after a "dubious character `*' in name or alias field" detection.

Remediation

There is no fixed version for RHEL:8 ncurses-base.

References

Out-of-Bounds vulnerability report

low severity

Out-of-Bounds

Vulnerable module: ncurses-libs
Introduced through: ncurses-libs@6.1-9.20180224.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › ncurses-libs@6.1-9.20180224.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 ncurses-libs.

References

Out-of-Bounds vulnerability report

low severity

Covert Timing Channel

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Covert Timing Channel vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write.

Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application.

The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Out-of-bounds Write vulnerability report

low severity

Covert Timing Channel

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Covert Timing Channel vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write.

Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application.

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary.

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Out-of-bounds Write vulnerability report

low severity

Use After Free

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.

Remediation

There is no fixed version for RHEL:8 sqlite-libs.

References

Use After Free vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: bzip2-libs
Introduced through: bzip2-libs@1.0.6-26.el8
Fixed in: 0:1.0.6-27.el8_10

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › bzip2-libs@1.0.6-26.el8

NVD Description

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

Remediation

Upgrade RHEL:8 bzip2-libs to version 0:1.0.6-27.el8_10 or higher.
This issue was patched in RHSA-2024:8922.

References

Out-of-bounds Write vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: file-libs
Introduced through: file-libs@5.33-20.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › file-libs@5.33-20.el8

NVD Description

do_core_note in readelf.c in libmagic.a in file 5.35 has an out-of-bounds read because memcpy is misused.

Remediation

There is no fixed version for RHEL:8 file-libs.

References

Out-of-bounds Read vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to 2.4.17, a network-adjacent attacker can send a crafted SNMP response to the CUPS SNMP backend that causes an out-of-bounds read of up to 176 bytes past a stack buffer. The leaked memory is converted from UTF-16 to UTF-8 and stored as printer supply description strings, which are subsequently visible to authenticated users via IPP Get-Printer-Attributes responses and the CUPS web interface. This vulnerability is fixed in 2.4.17.

Remediation

There is no fixed version for RHEL:8 cups-libs.

References

Out-of-bounds Read vulnerability report

low severity

Improper Input Validation

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

libarchive version commit 9693801580c0cf7c70e862d305270a16b52826a7 onwards (release v3.2.0 onwards) contains a CWE-20: Improper Input Validation vulnerability in WARC parser - libarchive/archive_read_support_format_warc.c, _warc_read() that can result in DoS - quasi-infinite run time and disk usage from tiny file. This attack appear to be exploitable via the victim must open a specially crafted WARC file.

Remediation

There is no fixed version for RHEL:8 libarchive.

References

Improper Input Validation vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

libarchive version commit 379867ecb330b3a952fb7bfa7bffb7bbd5547205 onwards (release v3.3.0 onwards) contains a CWE-476: NULL Pointer Dereference vulnerability in ACL parser - libarchive/archive_acl.c, archive_acl_from_text_l() that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted archive file.

Remediation

There is no fixed version for RHEL:8 libarchive.

References

NULL Pointer Dereference vulnerability report

low severity

Improper Handling of Highly Compressed Data (Data Amplification)

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability report

low severity

Improper Handling of Highly Compressed Data (Data Amplification)

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability report

low severity

Out-of-Bounds

Vulnerable module: elfutils-libelf
Introduced through: elfutils-libelf@0.185-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › elfutils-libelf@0.185-1.el8

NVD Description

Note: Versions mentioned in the description apply only to the upstream elfutils-libelf package and not the elfutils-libelf package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.

Remediation

There is no fixed version for RHEL:8 elfutils-libelf.

References

Out-of-Bounds vulnerability report

low severity

Inappropriate Encoding for Output Context

Vulnerable module: glibc
Introduced through: glibc@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc@2.28-164.el8

NVD Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Remediation

There is no fixed version for RHEL:8 glibc.

References

Inappropriate Encoding for Output Context vulnerability report

low severity

Inappropriate Encoding for Output Context

Vulnerable module: glibc-common
Introduced through: glibc-common@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-common@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-common.

References

Inappropriate Encoding for Output Context vulnerability report

low severity

Inappropriate Encoding for Output Context

Vulnerable module: glibc-langpack-en
Introduced through: glibc-langpack-en@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-langpack-en@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-langpack-en.

References

Inappropriate Encoding for Output Context vulnerability report

low severity

Inappropriate Encoding for Output Context

Vulnerable module: glibc-minimal-langpack
Introduced through: glibc-minimal-langpack@2.28-164.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glibc-minimal-langpack@2.28-164.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 glibc-minimal-langpack.

References

Inappropriate Encoding for Output Context vulnerability report

low severity

Improper Input Validation

Vulnerable module: libtasn1
Introduced through: libtasn1@4.13-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libtasn1@4.13-3.el8

NVD Description

GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file.

Remediation

There is no fixed version for RHEL:8 libtasn1.

References

Improper Input Validation vulnerability report

low severity

Missing Required Cryptographic Step

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: When using the low-level OCB API directly with AES-NI or other hardware-accelerated code paths, inputs whose length is not a multiple of 16 bytes can leave the final partial block unencrypted and unauthenticated. Impact summary: The trailing 1-15 bytes of a message may be exposed in cleartext on encryption and are not covered by the authentication tag, allowing an attacker to read or tamper with those bytes without detection. The low-level OCB encrypt and decrypt routines in the hardware-accelerated stream path process full 16-byte blocks but do not advance the input/output pointers. The subsequent tail-handling code then operates on the original base pointers, effectively reprocessing the beginning of the buffer while leaving the actual trailing bytes unprocessed. The authentication checksum also excludes the true tail bytes. However, typical OpenSSL consumers using EVP are not affected because the higher-level EVP and provider OCB implementations split inputs so that full blocks and trailing partial blocks are processed in separate calls, avoiding the problematic code path. Additionally, TLS does not use OCB ciphersuites. The vulnerability only affects applications that call the low-level CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with non-block-aligned lengths in a single call on hardware-accelerated builds. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as OCB mode is not a FIPS-approved algorithm. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Missing Required Cryptographic Step vulnerability report

low severity

Missing Required Cryptographic Step

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Missing Required Cryptographic Step vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

If the value passed to os.path.expandvars() is user-controlled a performance degradation is possible when expanding environment variables.

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Allocation of Resources Without Limits or Throttling vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. This bug affects libarchive versions prior to 3.8.0.

Remediation

There is no fixed version for RHEL:8 libarchive.

References

Integer Overflow or Wraparound vulnerability report

low severity

Out-of-bounds Read

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.

Remediation

There is no fixed version for RHEL:8 libarchive.

References

Out-of-bounds Read vulnerability report

low severity

Directory Traversal

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde () character to be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as the first element to indicate a path relative to the user's home directory. Attackers can exploit this flaw to bypass filtering or execute arbitrary code by crafting a path like /2/foo while accessing a server with a specific user.

Remediation

There is no fixed version for RHEL:8 curl.

References

Directory Traversal vulnerability report

low severity

Origin Validation Error

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

Using libcurl, when a custom Host: header is first set for an HTTP request and a second request is subsequently done using the same easy handle but without the custom Host: header set, the second request would use stale information and pass on cookies meant for the first host in the second request. Leak them.

Remediation

There is no fixed version for RHEL:8 curl.

References

Origin Validation Error vulnerability report

low severity

Insufficient Entropy

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.

Remediation

There is no fixed version for RHEL:8 expat.

References

Insufficient Entropy vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in glib. An integer overflow during temporary file creation leads to an out-of-bounds memory access, allowing an attacker to potentially perform path traversal or access private temporary file content by creating symbolic links. This vulnerability allows a local attacker to manipulate file paths and access unauthorized data. The core issue stems from insufficient validation of file path lengths during temporary file operations.

Remediation

There is no fixed version for RHEL:8 glib2.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS).

Remediation

There is no fixed version for RHEL:8 glib2.

References

Integer Overflow or Wraparound vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in GLib. An integer overflow and buffer under-read occur when parsing a long invalid ISO 8601 timestamp with the g_date_time_new_from_iso8601() function.

Remediation

There is no fixed version for RHEL:8 glib2.

References

Integer Overflow or Wraparound vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: gnupg2
Introduced through: gnupg2@2.2.20-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnupg2@2.2.20-2.el8

NVD Description

In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash).

Remediation

There is no fixed version for RHEL:8 gnupg2.

References

NULL Pointer Dereference vulnerability report

low severity

Incorrect Behavior Order: Early Validation

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust.

Remediation

There is no fixed version for RHEL:8 gnutls.

References

Incorrect Behavior Order: Early Validation vulnerability report

low severity

new

Information Exposure

Vulnerable module: gnutls
Introduced through: gnutls@3.6.16-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnutls@3.6.16-4.el8

NVD Description

A flaw was found in gnutls. The PKCS#7 padding check, performed during decryption, was not constant-time. This timing side-channel could allow a remote attacker to potentially leak sensitive information about the padding bytes through observable timing differences. This vulnerability is a form of information disclosure.

Remediation

There is no fixed version for RHEL:8 gnutls.

References

Information Exposure vulnerability report

low severity

Directory Traversal

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Directory Traversal vulnerability report

low severity

Origin Validation Error

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libcurl.

References

Origin Validation Error vulnerability report

low severity

Unchecked Return Value

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8
Fixed in: 0:0.9.6-14.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. The return values from these were not properly checked, which could cause low-memory situations failures, NULL dereferences, crashes, or usage of the uninitialized memory as an input for the KDF. In this case, non-matching keys will result in decryption/integrity failures, terminating the connection.

Remediation

Upgrade RHEL:8 libssh to version 0:0.9.6-14.el8 or higher.
This issue was patched in RHSA-2024:3233.

References

Unchecked Return Value vulnerability report

low severity

Unchecked Return Value

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8
Fixed in: 0:0.9.6-14.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

Upgrade RHEL:8 libssh-config to version 0:0.9.6-14.el8 or higher.
This issue was patched in RHSA-2024:3233.

References

Unchecked Return Value vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

A flaw was identified in the RelaxNG parser of libxml2 related to how external schema inclusions are handled. The parser does not enforce a limit on inclusion depth when resolving nested <include> directives. Specially crafted or overly complex schemas can cause excessive recursion during parsing. This may lead to stack exhaustion and application crashes, creating a denial-of-service risk.

Remediation

There is no fixed version for RHEL:8 libxml2.

References

Uncontrolled Recursion vulnerability report

low severity

CVE-2026-28387

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: An uncommon configuration of clients performing DANE TLSA-based server authentication, when paired with uncommon server DANE TLSA records, may result in a use-after-free and/or double-free on the client side.

Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code.

However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage.

By far the most common deployment of DANE is in SMTP MTAs for which RFC7672 recommends that clients treat as 'unusable' any TLSA records that have the PKIX certificate usages. These SMTP (or other similar) clients are not vulnerable to this issue. Conversely, any clients that support only the PKIX usages, and ignore the DANE-TA(2) usage are also not vulnerable.

The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records.

No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

CVE-2026-28387 vulnerability report

low severity

new

Improper Verification of Cryptographic Signature

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: The implementations of AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) mishandle the authentication of AAD (Additional Authenticated Data) with an empty ciphertext allowing a forgery of such messages.

Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers.

AES-SIV (RFC 5297) and AES-GCM-SIV (RFC 8452) are nonce-misuse-resistant AEAD modes: they accept a key, nonce, optional AAD (bytes that are authenticated but not encrypted), and plaintext, and produces ciphertext plus a 16-byte tag. On decrypt, EVP_DecryptFinal_ex() is documented to return success only if the tag is verified succesfully.

In OpenSSL's provider implementation of these ciphers, the expected tag is computed only when decryption function is invoked with non-empty data. If the caller supplies AAD and then calls EVP_DecryptFinal_ex() without invocation of the ciphertext update, which can happen when the received ciphertext length is zero, the tag is never recalculated and still holds its all-zeros value.

When AES-GCM-SIV is used, an attacker who sends arbitrary AAD, empty ciphertext, and all-zeros tag passes authentication under any key they do not know, single-shot. When AES-SIV is used, for mounting the attack it's necessary for the application to reuse the decryption context without resetting the key.

AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2.

No protocols implemented in OpenSSL itself (TLS/CMS/PKCS7/HPKE/QUIC) support either AES-GCM-SIV or AES-SIV. To mount an attack, the applications must implement their own protocol and use the EVP interface. Also they must skip the ciphertext update when a message with an empty ciphertext arrives.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Improper Verification of Cryptographic Signature vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openssl
Introduced through: openssl@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl@1:1.1.1k-4.el8

NVD Description

Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions

Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service

This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation.

This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl.

References

Resource Exhaustion vulnerability report

low severity

CVE-2026-28387

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code.

However, the issue only affects clients that make use of TLSA records with both the PKIX-TA(0/PKIX-EE(1) certificate usages and the DANE-TA(2) certificate usage.

The client would also need to be communicating with a server that publishes a TLSA RRset with both types of TLSA records.

No FIPS modules are affected by this issue, the problem code is outside the FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

CVE-2026-28387 vulnerability report

low severity

new

Improper Verification of Cryptographic Signature

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's application using these ciphers.

AES-SIV is implemented since OpenSSL 3.0. AES-GCM-SIV is implemented since OpenSSL 3.2.

The FIPS modules in 4.0, 3.6, 3.5, 3.4, and 3.0 are not affected by this issue, as these algorithms are not FIPS approved and the affected code is outside the OpenSSL FIPS module boundary.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Improper Verification of Cryptographic Signature vulnerability report

low severity

Resource Exhaustion

Vulnerable module: openssl-libs
Introduced through: openssl-libs@1:1.1.1k-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › openssl-libs@1:1.1.1k-4.el8

NVD Description

Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions

Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service

This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue.

Remediation

There is no fixed version for RHEL:8 openssl-libs.

References

Resource Exhaustion vulnerability report

low severity

Use After Free

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption.

Remediation

There is no fixed version for RHEL:8 libssh.

References

Use After Free vulnerability report

low severity

Use After Free

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libssh-config.

References

Use After Free vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8
Fixed in: 0:0.9.6-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but after key re-exchange, previous session_id is kept and used as an input to new secret_hash. Historically, both of these buffers had shared length variable, which worked as long as these buffers were same. But the key re-exchange operation can also change the key exchange method, which can be based on hash of different size, eventually creating "secret_hash" of different size than the session_id has. This becomes an issue when the session_id memory is zeroed or when it is used again during second key re-exchange.

Remediation

Upgrade RHEL:8 libssh to version 0:0.9.6-3.el8 or higher.
This issue was patched in RHSA-2022:2031.

References

Out-of-bounds Write vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8
Fixed in: 0:0.9.6-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

Upgrade RHEL:8 libssh-config to version 0:0.9.6-3.el8 or higher.
This issue was patched in RHSA-2022:2031.

References

Out-of-bounds Write vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Remediation

There is no fixed version for RHEL:8 libarchive.

References

NULL Pointer Dereference vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: libgcc
Introduced through: libgcc@8.5.0-4.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libgcc@8.5.0-4.el8_5

NVD Description

An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.

Remediation

There is no fixed version for RHEL:8 libgcc.

References

Integer Overflow or Wraparound vulnerability report

low severity

Resource Exhaustion

Vulnerable module: libgcc
Introduced through: libgcc@8.5.0-4.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libgcc@8.5.0-4.el8_5

NVD Description

The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, has a memory leak via a crafted string, leading to a denial of service (memory consumption), as demonstrated by cxxfilt, a related issue to CVE-2018-12698.

Remediation

There is no fixed version for RHEL:8 libgcc.

References

Resource Exhaustion vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: libgcrypt
Introduced through: libgcrypt@1.8.5-6.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libgcrypt@1.8.5-6.el8

NVD Description

Libgcrypt before 1.12.2 mishandles Dilithium signing. Writes to a static array lack a bounds check but do not use attacker-controlled data.

Remediation

There is no fixed version for RHEL:8 libgcrypt.

References

Out-of-bounds Write vulnerability report

low severity

External Control of File Name or Path

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw was found in libssh where it can attempt to open arbitrary files during configuration parsing. A local attacker can exploit this by providing a malicious configuration file or when the system is misconfigured. This vulnerability could lead to a Denial of Service (DoS) by causing the system to try and access dangerous files, such as block devices or large system files, which can disrupt normal operations.

Remediation

There is no fixed version for RHEL:8 libssh.

References

External Control of File Name or Path vulnerability report

low severity

External Control of File Name or Path

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libssh-config.

References

External Control of File Name or Path vulnerability report

low severity

Integer Overflow or Wraparound

Vulnerable module: libstdc++
Introduced through: libstdc++@8.5.0-4.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libstdc++@8.5.0-4.el8_5

NVD Description

Remediation

There is no fixed version for RHEL:8 libstdc++.

References

Integer Overflow or Wraparound vulnerability report

low severity

Resource Exhaustion

Vulnerable module: libstdc++
Introduced through: libstdc++@8.5.0-4.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libstdc++@8.5.0-4.el8_5

NVD Description

Remediation

There is no fixed version for RHEL:8 libstdc++.

References

Resource Exhaustion vulnerability report

low severity

Directory Traversal

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.

pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Directory Traversal vulnerability report

low severity

Insufficient Logging

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

The import hook in CPython that handles legacy *.pyc files (SourcelessFileLoader) is incorrectly handled in FileLoader (a base class) and so does not use io.open_code() to read the .pyc files. sys.audit handlers for this audit event therefore do not fire.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Insufficient Logging vulnerability report

low severity

Directory Traversal

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Directory Traversal vulnerability report

low severity

Insufficient Logging

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Insufficient Logging vulnerability report

low severity

Heap-based Buffer Overflow

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

In SQLite 3.27.2, running fts5 prefix queries inside a transaction could trigger a heap-based buffer over-read in fts5HashEntrySort in sqlite3.c, which may lead to an information leak. This is related to ext/fts5/fts5_hash.c.

Remediation

There is no fixed version for RHEL:8 sqlite-libs.

References

Heap-based Buffer Overflow vulnerability report

low severity

Use of Uninitialized Resource

Vulnerable module: sqlite-libs
Introduced through: sqlite-libs@3.26.0-15.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › sqlite-libs@3.26.0-15.el8

NVD Description

An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.

Remediation

There is no fixed version for RHEL:8 sqlite-libs.

References

Use of Uninitialized Resource vulnerability report

low severity

Memory Leak

Vulnerable module: tar
Introduced through: tar@2:1.30-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › tar@2:1.30-5.el8

NVD Description

A flaw was found in the src/list.c of tar 1.33 and earlier. This flaw allows an attacker who can submit a crafted input file to tar to cause uncontrolled consumption of memory. The highest threat from this vulnerability is to system availability.

Remediation

There is no fixed version for RHEL:8 tar.

References

Memory Leak vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: tar
Introduced through: tar@2:1.30-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › tar@2:1.30-5.el8

NVD Description

pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.

Remediation

There is no fixed version for RHEL:8 tar.

References

NULL Pointer Dereference vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: tar
Introduced through: tar@2:1.30-5.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › tar@2:1.30-5.el8

NVD Description

In GNU tar before 1.35, mishandled extension attributes in a PAX archive can lead to an application crash in xheader.c.

Remediation

There is no fixed version for RHEL:8 tar.

References

Stack-based Buffer Overflow vulnerability report

low severity

Loop with Unreachable Exit Condition ('Infinite Loop')

Vulnerable module: zlib
Introduced through: zlib@1.2.11-17.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › zlib@1.2.11-17.el8

NVD Description

zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.

Remediation

There is no fixed version for RHEL:8 zlib.

References

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability report

low severity

Improper Validation of Syntactic Correctness of Input

Vulnerable module: curl
Introduced through: curl@7.61.1-22.el8
Fixed in: 0:7.61.1-30.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › curl@7.61.1-22.el8

NVD Description

When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control codes that when later are sent back to a HTTPserver might make the server return 400 responses. Effectively allowing a"sister site" to deny service to all siblings.

Remediation

Upgrade RHEL:8 curl to version 0:7.61.1-30.el8 or higher.
This issue was patched in RHSA-2023:2963.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

low severity

Improper Validation of Syntactic Correctness of Input

Vulnerable module: libcurl
Introduced through: libcurl@7.61.1-22.el8
Fixed in: 0:7.61.1-30.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libcurl@7.61.1-22.el8

NVD Description

Remediation

Upgrade RHEL:8 libcurl to version 0:7.61.1-30.el8 or higher.
This issue was patched in RHSA-2023:2963.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

low severity

Memory Leak

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw was found in libssh's handling of key exchange (KEX) processes when a client repeatedly sends incorrect KEX guesses. The library fails to free memory during these rekey operations, which can gradually exhaust system memory. This issue can lead to crashes on the client side, particularly when using libgcrypt, which impacts application stability and availability.

Remediation

There is no fixed version for RHEL:8 libssh.

References

Memory Leak vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw was found in libssh in which a malicious SFTP (SSH File Transfer Protocol) server can exploit this by sending a malformed 'longname' field within an SSH_FXP_NAME message during a file listing operation. This missing null check can lead to reading beyond allocated memory on the heap. This can cause unexpected behavior or lead to a denial of service (DoS) due to application crashes.

Remediation

There is no fixed version for RHEL:8 libssh.

References

NULL Pointer Dereference vulnerability report

low severity

Memory Leak

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libssh-config.

References

Memory Leak vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libssh-config.

References

NULL Pointer Dereference vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c.

Remediation

There is no fixed version for RHEL:8 libxml2.

References

NULL Pointer Dereference vulnerability report

low severity

Cleartext Transmission of Sensitive Information

Vulnerable module: nss
Introduced through: nss@3.67.0-7.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss@3.67.0-7.el8_5

NVD Description

Calling PK11_Encrypt() in NSS using CKM_CHACHA20 and the same buffer for input and output can result in plaintext on an Intel Sandy Bridge processor. In Firefox this only affects the QUIC header protection feature when the connection is using the ChaCha20-Poly1305 cipher suite. The most likely outcome is connection failure, but if the connection persists despite the high packet loss it could be possible for a network observer to identify packets as coming from the same source despite a network path change. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, and Firefox ESR < 128.1.

Remediation

There is no fixed version for RHEL:8 nss.

References

Cleartext Transmission of Sensitive Information vulnerability report

low severity

Cleartext Transmission of Sensitive Information

Vulnerable module: nss-softokn
Introduced through: nss-softokn@3.67.0-7.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn@3.67.0-7.el8_5

NVD Description

Remediation

There is no fixed version for RHEL:8 nss-softokn.

References

Cleartext Transmission of Sensitive Information vulnerability report

low severity

Cleartext Transmission of Sensitive Information

Vulnerable module: nss-softokn-freebl
Introduced through: nss-softokn-freebl@3.67.0-7.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-softokn-freebl@3.67.0-7.el8_5

NVD Description

Remediation

There is no fixed version for RHEL:8 nss-softokn-freebl.

References

Cleartext Transmission of Sensitive Information vulnerability report

low severity

Cleartext Transmission of Sensitive Information

Vulnerable module: nss-sysinit
Introduced through: nss-sysinit@3.67.0-7.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-sysinit@3.67.0-7.el8_5

NVD Description

Remediation

There is no fixed version for RHEL:8 nss-sysinit.

References

Cleartext Transmission of Sensitive Information vulnerability report

low severity

Cleartext Transmission of Sensitive Information

Vulnerable module: nss-util
Introduced through: nss-util@3.67.0-7.el8_5

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › nss-util@3.67.0-7.el8_5

NVD Description

Remediation

There is no fixed version for RHEL:8 nss-util.

References

Cleartext Transmission of Sensitive Information vulnerability report

low severity

Improper Handling of Inconsistent Special Elements

Vulnerable module: platform-python
Introduced through: platform-python@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › platform-python@3.6.8-41.el8

NVD Description

During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers.

Remediation

There is no fixed version for RHEL:8 platform-python.

References

Improper Handling of Inconsistent Special Elements vulnerability report

low severity

Improper Handling of Inconsistent Special Elements

Vulnerable module: python3-libs
Introduced through: python3-libs@3.6.8-41.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › python3-libs@3.6.8-41.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 python3-libs.

References

Improper Handling of Inconsistent Special Elements vulnerability report

low severity

Algorithmic Complexity

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

Remediation

There is no fixed version for RHEL:8 expat.

References

Algorithmic Complexity vulnerability report

low severity

NULL Pointer Dereference

Vulnerable module: expat
Introduced through: expat@2.2.5-4.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › expat@2.2.5-4.el8

NVD Description

In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.

Remediation

There is no fixed version for RHEL:8 expat.

References

NULL Pointer Dereference vulnerability report

low severity

Resource Exhaustion

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

A flaw was found in the libxml2 library. This uncontrolled resource consumption vulnerability occurs when processing XML catalogs that contain repeated <nextCatalog> elements pointing to the same downstream catalog. A remote attacker can exploit this by supplying crafted catalogs, causing the parser to redundantly traverse catalog chains. This leads to excessive CPU consumption and degrades application availability, resulting in a denial-of-service condition.

Remediation

There is no fixed version for RHEL:8 libxml2.

References

Resource Exhaustion vulnerability report

low severity

Buffer Underflow

Vulnerable module: glib2
Introduced through: glib2@2.56.4-156.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › glib2@2.56.4-156.el8

NVD Description

A flaw was found in Glib's content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability.

Remediation

There is no fixed version for RHEL:8 glib2.

References

Buffer Underflow vulnerability report

low severity

Out-of-bounds Write

Vulnerable module: libarchive
Introduced through: libarchive@3.3.3-1.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libarchive@3.3.3-1.el8

NVD Description

A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation. This bug affects libarchive versions prior to 3.8.0.

Remediation

There is no fixed version for RHEL:8 libarchive.

References

Out-of-bounds Write vulnerability report

low severity

Improper Check for Unusual or Exceptional Conditions

Vulnerable module: gnupg2
Introduced through: gnupg2@2.2.20-2.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › gnupg2@2.2.20-2.el8

NVD Description

In GnuPG before 2.5.5, if a user chooses to import a certificate with certain crafted subkey data that lacks a valid backsig or that has incorrect usage flags, the user loses the ability to verify signatures made from certain other signing keys, aka a "verification DoS."

Remediation

There is no fixed version for RHEL:8 gnupg2.

References

Improper Check for Unusual or Exceptional Conditions vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: libxml2
Introduced through: libxml2@2.9.7-9.el8_4.2

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libxml2@2.9.7-9.el8_4.2

NVD Description

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

Remediation

There is no fixed version for RHEL:8 libxml2.

References

Stack-based Buffer Overflow vulnerability report

low severity

Inefficient Regular Expression Complexity

Vulnerable module: libssh
Introduced through: libssh@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh@0.9.4-3.el8

NVD Description

A flaw was found in libssh. A remote attacker, by controlling client configuration files or known_hosts files, could craft specific hostnames that when processed by the match_pattern() function can lead to inefficient regular expression backtracking. This can cause timeouts and resource exhaustion, resulting in a Denial of Service (DoS) for the client.

Remediation

There is no fixed version for RHEL:8 libssh.

References

Inefficient Regular Expression Complexity vulnerability report

low severity

Inefficient Regular Expression Complexity

Vulnerable module: libssh-config
Introduced through: libssh-config@0.9.4-3.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › libssh-config@0.9.4-3.el8

NVD Description

Remediation

There is no fixed version for RHEL:8 libssh-config.

References

Inefficient Regular Expression Complexity vulnerability report

low severity

Incorrect Default Permissions

Vulnerable module: cups-libs
Introduced through: cups-libs@1:2.2.6-40.el8

Detailed paths

Introduced through: jboss/keycloak@16.1.0 › cups-libs@1:2.2.6-40.el8

NVD Description

A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Manager Server 4.0, SUSE OpenStack Cloud Crowbar 9; openSUSE Leap 15.2, Factory allows local attackers with control of the lp users to create files as root with 0644 permissions without the ability to set the content. This issue affects: SUSE Linux Enterprise Server 11-SP4-LTSS cups versions prior to 1.3.9. SUSE Manager Server 4.0 cups versions prior to 2.2.7. SUSE OpenStack Cloud Crowbar 9 cups versions prior to 1.7.5. openSUSE Leap 15.2 cups versions prior to 2.2.7. openSUSE Factory cups version 2.3.3op2-2.1 and prior versions.

Remediation

There is no fixed version for RHEL:8 cups-libs.

References

Incorrect Default Permissions vulnerability report

Vulnerabilities

Dependencies

Source

Target OS

high severity

Inappropriate Encoding for Output Context

Detailed paths

NVD Description

Remediation

References

high severity

Incorrect Behavior Order: Early Validation

Detailed paths

NVD Description

Remediation

References

high severity

Integer Overflow or Wraparound

Detailed paths

NVD Description

Remediation

References

high severity

Integer Overflow or Wraparound

Detailed paths

NVD Description

Remediation

References

high severity

Integer Overflow or Wraparound

Detailed paths

NVD Description

Remediation

References

high severity

Integer Overflow or Wraparound

Detailed paths

NVD Description

Remediation

References

high severity

Out-of-bounds Write

Detailed paths

NVD Description

Remediation

References

high severity

Use After Free

Detailed paths

NVD Description

Remediation

References

high severity

Expired Pointer Dereference

Detailed paths

NVD Description

Remediation

References

high severity

Out-of-bounds Read

Detailed paths

NVD Description

Remediation

References

high severity

Improper Validation of Integrity Check Value

Detailed paths

NVD Description

Remediation

References

high severity

SQL Injection

Detailed paths

NVD Description

Remediation

References

high severity

Incorrect Bitwise Shift of Integer

Detailed paths

NVD Description