{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "A flaw was found in Keycloak's OIDC component in the \"checkLoginIframe,\" which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.",
      },
      {
         lang: "es",
         value: "Se encontró una falla en el componente OIDC de Keycloak en \"checkLoginIframe\", que permite mensajes de origen cruzado no validados. Esta falla permite a los atacantes coordinar y enviar millones de solicitudes en segundos usando un código simple, lo que afecta significativamente la disponibilidad de la aplicación sin una validación adecuada del origen de los mensajes entrantes.",
      },
   ],
   id: "CVE-2024-1249",
   lastModified: "2024-11-21T08:50:09.153",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "NETWORK",
               availabilityImpact: "HIGH",
               baseScore: 7.4,
               baseSeverity: "HIGH",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "CHANGED",
               userInteraction: "REQUIRED",
               vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.8,
            impactScore: 4,
            source: "secalert@redhat.com",
            type: "Secondary",
         },
      ],
   },
   published: "2024-04-17T14:15:08.160",
   references: [
      {
         source: "secalert@redhat.com",
         url: "https://access.redhat.com/errata/RHSA-2024:1860",
      },
      {
         source: "secalert@redhat.com",
         url: "https://access.redhat.com/errata/RHSA-2024:1861",
      },
      {
         source: "secalert@redhat.com",
         url: "https://access.redhat.com/errata/RHSA-2024:1862",
      },
      {
         source: "secalert@redhat.com",
         url: "https://access.redhat.com/errata/RHSA-2024:1864",
      },
      {
         source: "secalert@redhat.com",
         url: "https://access.redhat.com/errata/RHSA-2024:1866",
      },
      {
         source: "secalert@redhat.com",
         url: "https://access.redhat.com/errata/RHSA-2024:1867",
      },
      {
         source: "secalert@redhat.com",
         url: "https://access.redhat.com/errata/RHSA-2024:1868",
      },
      {
         source: "secalert@redhat.com",
         url: "https://access.redhat.com/errata/RHSA-2024:2945",
      },
      {
         source: "secalert@redhat.com",
         url: "https://access.redhat.com/errata/RHSA-2024:4057",
      },
      {
         source: "secalert@redhat.com",
         url: "https://access.redhat.com/security/cve/CVE-2024-1249",
      },
      {
         source: "secalert@redhat.com",
         url: "https://bugzilla.redhat.com/show_bug.cgi?id=2262918",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://access.redhat.com/errata/RHSA-2024:1860",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://access.redhat.com/errata/RHSA-2024:1861",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://access.redhat.com/errata/RHSA-2024:1862",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://access.redhat.com/errata/RHSA-2024:1864",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://access.redhat.com/errata/RHSA-2024:1866",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://access.redhat.com/errata/RHSA-2024:1867",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://access.redhat.com/errata/RHSA-2024:1868",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://access.redhat.com/errata/RHSA-2024:2945",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://access.redhat.com/errata/RHSA-2024:4057",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://access.redhat.com/security/cve/CVE-2024-1249",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://bugzilla.redhat.com/show_bug.cgi?id=2262918",
      },
   ],
   sourceIdentifier: "secalert@redhat.com",
   vulnStatus: "Awaiting Analysis",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-346",
            },
         ],
         source: "secalert@redhat.com",
         type: "Secondary",
      },
   ],
}

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal.\n\nThis is an enhancement and security update with Important impact rating and\npackage name 'rh-sso7-keycloak'. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak\nproject, that provides authentication and standards-based single sign-on\ncapabilities for web and mobile applications.\n\nThis release of Red Hat Single Sign-On 7.6.8 serves as a replacement for Red Hat Single Sign-On 7.6.7, and includes bug fixes, security updates and\nenhancements which are linked to in the References.\n\nSecurity Fix(es):\n\n* Authorization Bypass (CVE-2023-6544)\n* Log Injection during WebAuthn authentication or registration (CVE-2023-6484)\n* path transversal in redirection validation (CVE-2024-1132)\n* unvalidated cross-origin messages in checkLoginIframe leads to DDoS (CVE-2024-1249)\n* undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol (CVE-2024-1635)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in the\nReferences section.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2024:1866",
            url: "https://access.redhat.com/errata/RHSA-2024:1866",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "2248423",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2248423",
         },
         {
            category: "external",
            summary: "2253116",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2253116",
         },
         {
            category: "external",
            summary: "2262117",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2262117",
         },
         {
            category: "external",
            summary: "2262918",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2262918",
         },
         {
            category: "external",
            summary: "2264928",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264928",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_1866.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.8 security update",
      tracking: {
         current_release_date: "2024-12-27T14:18:28+00:00",
         generator: {
            date: "2024-12-27T14:18:28+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.4",
            },
         },
         id: "RHSA-2024:1866",
         initial_release_date: "2024-04-16T20:04:32+00:00",
         revision_history: [
            {
               date: "2024-04-16T20:04:32+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2024-04-16T20:04:32+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-12-27T14:18:28+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "RHSSO 7.6.8",
                        product: {
                           name: "RHSSO 7.6.8",
                           product_id: "RHSSO 7.6.8",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:red_hat_single_sign_on:7.6",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat Single Sign-On",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
   },
   vulnerabilities: [
      {
         acknowledgments: [
            {
               names: [
                  "Johannes Bergmann",
               ],
               organization: "Bosch",
            },
         ],
         cve: "CVE-2023-3597",
         cwe: {
            id: "CWE-287",
            name: "Improper Authentication",
         },
         discovery_date: "2023-07-10T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2221760",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: secondary factor bypass in step-up authentication",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Note that exploitation of this flaw requires several factors to be successful. The attacker must already have valid credentials within the system, without which there is no vulnerability, and the application must be configured to use the step-up flow, which is the only aspect of authentication bypassed by this flaw; the name and password restriction function as expected. Further, the impact effects of this flaw are limited to user-level and do not affect the system as a whole. For this reason, Red Hat Product Security has assessed this flaw to be Moderate security impact.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHSSO 7.6.8",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-3597",
            },
            {
               category: "external",
               summary: "RHBZ#2221760",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2221760",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-3597",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-3597",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-3597",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-3597",
            },
         ],
         release_date: "2024-04-15T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T20:04:32+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "RHSSO 7.6.8",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1866",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "HIGH",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 5,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
                  version: "3.1",
               },
               products: [
                  "RHSSO 7.6.8",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "keycloak: secondary factor bypass in step-up authentication",
      },
      {
         cve: "CVE-2023-6484",
         cwe: {
            id: "CWE-117",
            name: "Improper Output Neutralization for Logs",
         },
         discovery_date: "2023-11-06T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2248423",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: Log Injection during WebAuthn authentication or registration",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHSSO 7.6.8",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-6484",
            },
            {
               category: "external",
               summary: "RHBZ#2248423",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2248423",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-6484",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-6484",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-6484",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-6484",
            },
         ],
         release_date: "2023-12-04T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T20:04:32+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "RHSSO 7.6.8",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1866",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "RHSSO 7.6.8",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "keycloak: Log Injection during WebAuthn authentication or registration",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Bastian Kanbach",
               ],
               organization: "Secure Systems DE [bastian.kanbach@securesystems.de]",
            },
         ],
         cve: "CVE-2023-6544",
         cwe: {
            id: "CWE-625",
            name: "Permissive Regular Expression",
         },
         discovery_date: "2023-12-06T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2253116",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: Authorization Bypass",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Due to the high complexity of this attack, Red Hat considers this a Moderate impact.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHSSO 7.6.8",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-6544",
            },
            {
               category: "external",
               summary: "RHBZ#2253116",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2253116",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-6544",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-6544",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-6544",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-6544",
            },
         ],
         release_date: "2024-04-16T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T20:04:32+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "RHSSO 7.6.8",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1866",
            },
            {
               category: "workaround",
               details: "No mitigation is currently available for this flaw.",
               product_ids: [
                  "RHSSO 7.6.8",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "RHSSO 7.6.8",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "keycloak: Authorization Bypass",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Axel Flamcourt",
               ],
            },
         ],
         cve: "CVE-2024-1132",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2024-01-31T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2262117",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: path transversal in redirection validation",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution, but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason, Quarkus is marked as having a Low impact.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHSSO 7.6.8",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2024-1132",
            },
            {
               category: "external",
               summary: "RHBZ#2262117",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2262117",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2024-1132",
               url: "https://www.cve.org/CVERecord?id=CVE-2024-1132",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1132",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1132",
            },
         ],
         release_date: "2024-04-16T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T20:04:32+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "RHSSO 7.6.8",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1866",
            },
            {
               category: "workaround",
               details: "No current mitigation is available for this vulnerability.",
               product_ids: [
                  "RHSSO 7.6.8",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 8.1,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "RHSSO 7.6.8",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "keycloak: path transversal in redirection validation",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Adriano Márcio Monteiro",
               ],
            },
         ],
         cve: "CVE-2024-1249",
         cwe: {
            id: "CWE-346",
            name: "Origin Validation Error",
         },
         discovery_date: "2024-02-06T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2262918",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Keycloak's OIDC component in the \"checkLoginIframe,\" which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "The vulnerability in Keycloak's OIDC component allowing unvalidated cross-origin messages in the \"checkLoginIframe\" function represents an important severity issue due to its potential to cause significant disruption and resource exhaustion. Exploitation of this flaw can lead to a Denial of Service (DoS) condition, where malicious actors can overwhelm the server with a high volume of requests, impacting availability for legitimate users. The absence of proper origin validation means attackers can exploit this weakness relatively easily, leveraging automated scripts to flood the server within seconds.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHSSO 7.6.8",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2024-1249",
            },
            {
               category: "external",
               summary: "RHBZ#2262918",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2262918",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2024-1249",
               url: "https://www.cve.org/CVERecord?id=CVE-2024-1249",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1249",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1249",
            },
         ],
         release_date: "2024-04-16T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T20:04:32+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "RHSSO 7.6.8",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1866",
            },
            {
               category: "workaround",
               details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
               product_ids: [
                  "RHSSO 7.6.8",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.4,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHSSO 7.6.8",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS",
      },
      {
         cve: "CVE-2024-1635",
         cwe: {
            id: "CWE-400",
            name: "Uncontrolled Resource Consumption",
         },
         discovery_date: "2024-02-19T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2264928",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. \r\n\r\nAt HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This is rated as Important due to the fact that this might be an unauthenticated remote issue exploited by a malicious user, causing a denial of service (DoS) to the affected server.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "RHSSO 7.6.8",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2024-1635",
            },
            {
               category: "external",
               summary: "RHBZ#2264928",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264928",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2024-1635",
               url: "https://www.cve.org/CVERecord?id=CVE-2024-1635",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1635",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1635",
            },
         ],
         release_date: "2023-10-27T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T20:04:32+00:00",
               details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
               product_ids: [
                  "RHSSO 7.6.8",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1866",
            },
            {
               category: "workaround",
               details: "No mitigation is currently available for this vulnerability. However, there might be some protections, such as request limits by a load balancer in front of JBoss EAP/Wildfly or even Undertow, that could minimize the impact.",
               product_ids: [
                  "RHSSO 7.6.8",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "RHSSO 7.6.8",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol",
      },
   ],
}

{
   document: {
      aggregate_severity: {
         namespace: "https://access.redhat.com/security/updates/classification/",
         text: "Important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright © Red Hat, Inc. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "A new image is available for Red Hat Single Sign-On 7.6.8, running on OpenShift Container Platform 3.10 and 3.11, and 4.3.\n\nThis is an enhancement and security update with Important impact rating and\npackage name 'rh-sso7-keycloak'. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.",
            title: "Topic",
         },
         {
            category: "general",
            text: "Red Hat Single Sign-On is an integrated sign-on solution, available as a\nRed Hat JBoss Middleware for OpenShift containerized image. The Red Hat\nSingle Sign-On for OpenShift image provides an authentication server that\nyou can use to log in centrally, log out, and register. You can also manage\nuser accounts for web applications, mobile applications, and RESTful web\nservices.\n\nSecurity Fix(es):\n\n* Authorization Bypass (CVE-2023-6544)\n* Log Injection during WebAuthn authentication or registration (CVE-2023-6484)\n* path transversal in redirection validation (CVE-2024-1132)\n* unvalidated cross-origin messages in checkLoginIframe leads to DDoS (CVE-2024-1249)\n* undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol (CVE-2024-1635)\n\nThis erratum releases a new image for Red Hat Single Sign-On 7.6.8 for\nuse within the OpenShift Container Platform 3.10, OpenShift Container Platform\n3.11, and within the OpenShift Container Platform 4.3 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.",
            title: "Details",
         },
         {
            category: "legal_disclaimer",
            text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
            title: "Terms of Use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://access.redhat.com/security/team/contact/",
         issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
         name: "Red Hat Product Security",
         namespace: "https://www.redhat.com",
      },
      references: [
         {
            category: "self",
            summary: "https://access.redhat.com/errata/RHSA-2024:1864",
            url: "https://access.redhat.com/errata/RHSA-2024:1864",
         },
         {
            category: "external",
            summary: "https://access.redhat.com/security/updates/classification/#important",
            url: "https://access.redhat.com/security/updates/classification/#important",
         },
         {
            category: "external",
            summary: "2248423",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2248423",
         },
         {
            category: "external",
            summary: "2253116",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2253116",
         },
         {
            category: "external",
            summary: "2262117",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2262117",
         },
         {
            category: "external",
            summary: "2262918",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2262918",
         },
         {
            category: "external",
            summary: "2264928",
            url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264928",
         },
         {
            category: "self",
            summary: "Canonical URL",
            url: "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_1864.json",
         },
      ],
      title: "Red Hat Security Advisory: Red Hat Single Sign-On 7.6.8 for OpenShift image enhancement and security update",
      tracking: {
         current_release_date: "2024-12-23T11:01:16+00:00",
         generator: {
            date: "2024-12-23T11:01:16+00:00",
            engine: {
               name: "Red Hat SDEngine",
               version: "4.2.4",
            },
         },
         id: "RHSA-2024:1864",
         initial_release_date: "2024-04-16T19:54:17+00:00",
         revision_history: [
            {
               date: "2024-04-16T19:54:17+00:00",
               number: "1",
               summary: "Initial version",
            },
            {
               date: "2024-04-16T19:54:17+00:00",
               number: "2",
               summary: "Last updated version",
            },
            {
               date: "2024-12-23T11:01:16+00:00",
               number: "3",
               summary: "Last generated version",
            },
         ],
         status: "final",
         version: "3",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "Middleware Containers for OpenShift",
                        product: {
                           name: "Middleware Containers for OpenShift",
                           product_id: "8Base-RHOSE-Middleware",
                           product_identification_helper: {
                              cpe: "cpe:/a:redhat:rhosemc:1.0::el8",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "Red Hat OpenShift Enterprise",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
                        product: {
                           name: "rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
                           product_id: "rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
                           product_identification_helper: {
                              purl: "pkg:oci/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf?arch=ppc64le&repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8&tag=7.6-46",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "ppc64le",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                        product: {
                           name: "rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                           product_id: "rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                           product_identification_helper: {
                              purl: "pkg:oci/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d?arch=amd64&repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8&tag=7.6-46",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "amd64",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                        product: {
                           name: "rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                           product_id: "rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                           product_identification_helper: {
                              purl: "pkg:oci/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0?arch=s390x&repository_url=registry.redhat.io/rh-sso-7/sso76-openshift-rhel8&tag=7.6-46",
                           },
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390x",
               },
            ],
            category: "vendor",
            name: "Red Hat",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64 as a component of Middleware Containers for OpenShift",
               product_id: "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
            },
            product_reference: "rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
            relates_to_product_reference: "8Base-RHOSE-Middleware",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x as a component of Middleware Containers for OpenShift",
               product_id: "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
            },
            product_reference: "rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
            relates_to_product_reference: "8Base-RHOSE-Middleware",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le as a component of Middleware Containers for OpenShift",
               product_id: "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
            },
            product_reference: "rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
            relates_to_product_reference: "8Base-RHOSE-Middleware",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2023-6484",
         cwe: {
            id: "CWE-117",
            name: "Improper Output Neutralization for Logs",
         },
         discovery_date: "2023-11-06T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2248423",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: Log Injection during WebAuthn authentication or registration",
               title: "Vulnerability summary",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-6484",
            },
            {
               category: "external",
               summary: "RHBZ#2248423",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2248423",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-6484",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-6484",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-6484",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-6484",
            },
         ],
         release_date: "2023-12-04T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T19:54:17+00:00",
               details: "To update to the latest Red Hat Single Sign-On 7.6.8 for OpenShift\nimage, Follow these steps to pull in the content:\n\n1. On your main hosts, ensure you are logged into the CLI as a\ncluster administrator or user with project administrator access\nto the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift\nin the \"openshift\" project by running the following commands:\n\n$ for resource in sso76-image-stream.json \\\nsso76-https.json \\\nsso76-mysql.json \\\nsso76-mysql-persistent.json \\\nsso76-postgresql.json \\\nsso76-postgresql-persistent.json \\\nsso76-x509-https.json \\\nsso76-x509-mysql-persistent.json \\\nsso76-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.6.8.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.6.8 for OpenShift streams in the\n\"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso76-openshift:1.0",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1864",
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "LOW",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Low",
            },
         ],
         title: "keycloak: Log Injection during WebAuthn authentication or registration",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Bastian Kanbach",
               ],
               organization: "Secure Systems DE [bastian.kanbach@securesystems.de]",
            },
         ],
         cve: "CVE-2023-6544",
         cwe: {
            id: "CWE-625",
            name: "Permissive Regular Expression",
         },
         discovery_date: "2023-12-06T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2253116",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: Authorization Bypass",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Due to the high complexity of this attack, Red Hat considers this a Moderate impact.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2023-6544",
            },
            {
               category: "external",
               summary: "RHBZ#2253116",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2253116",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2023-6544",
               url: "https://www.cve.org/CVERecord?id=CVE-2023-6544",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2023-6544",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2023-6544",
            },
         ],
         release_date: "2024-04-16T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T19:54:17+00:00",
               details: "To update to the latest Red Hat Single Sign-On 7.6.8 for OpenShift\nimage, Follow these steps to pull in the content:\n\n1. On your main hosts, ensure you are logged into the CLI as a\ncluster administrator or user with project administrator access\nto the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift\nin the \"openshift\" project by running the following commands:\n\n$ for resource in sso76-image-stream.json \\\nsso76-https.json \\\nsso76-mysql.json \\\nsso76-mysql-persistent.json \\\nsso76-postgresql.json \\\nsso76-postgresql-persistent.json \\\nsso76-x509-https.json \\\nsso76-x509-mysql-persistent.json \\\nsso76-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.6.8.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.6.8 for OpenShift streams in the\n\"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso76-openshift:1.0",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1864",
            },
            {
               category: "workaround",
               details: "No mitigation is currently available for this flaw.",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 5.4,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "LOW",
                  integrityImpact: "LOW",
                  privilegesRequired: "LOW",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                  version: "3.1",
               },
               products: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Moderate",
            },
         ],
         title: "keycloak: Authorization Bypass",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Axel Flamcourt",
               ],
            },
         ],
         cve: "CVE-2024-1132",
         cwe: {
            id: "CWE-22",
            name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
         },
         discovery_date: "2024-01-31T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2262117",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: path transversal in redirection validation",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "Red Hat Build of Quarkus is not impacted as this CVE affects the server-side Keycloak execution, but Quarkus only acts as a Keycloak client in its quarkus-keycloak-authorization extension. For this reason, Quarkus is marked as having a Low impact.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2024-1132",
            },
            {
               category: "external",
               summary: "RHBZ#2262117",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2262117",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2024-1132",
               url: "https://www.cve.org/CVERecord?id=CVE-2024-1132",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1132",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1132",
            },
         ],
         release_date: "2024-04-16T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T19:54:17+00:00",
               details: "To update to the latest Red Hat Single Sign-On 7.6.8 for OpenShift\nimage, Follow these steps to pull in the content:\n\n1. On your main hosts, ensure you are logged into the CLI as a\ncluster administrator or user with project administrator access\nto the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift\nin the \"openshift\" project by running the following commands:\n\n$ for resource in sso76-image-stream.json \\\nsso76-https.json \\\nsso76-mysql.json \\\nsso76-mysql-persistent.json \\\nsso76-postgresql.json \\\nsso76-postgresql-persistent.json \\\nsso76-x509-https.json \\\nsso76-x509-mysql-persistent.json \\\nsso76-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.6.8.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.6.8 for OpenShift streams in the\n\"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso76-openshift:1.0",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1864",
            },
            {
               category: "workaround",
               details: "No current mitigation is available for this vulnerability.",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "NONE",
                  baseScore: 8.1,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
                  version: "3.1",
               },
               products: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "keycloak: path transversal in redirection validation",
      },
      {
         acknowledgments: [
            {
               names: [
                  "Adriano Márcio Monteiro",
               ],
            },
         ],
         cve: "CVE-2024-1249",
         cwe: {
            id: "CWE-346",
            name: "Origin Validation Error",
         },
         discovery_date: "2024-02-06T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2262918",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A flaw was found in Keycloak's OIDC component in the \"checkLoginIframe,\" which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "The vulnerability in Keycloak's OIDC component allowing unvalidated cross-origin messages in the \"checkLoginIframe\" function represents an important severity issue due to its potential to cause significant disruption and resource exhaustion. Exploitation of this flaw can lead to a Denial of Service (DoS) condition, where malicious actors can overwhelm the server with a high volume of requests, impacting availability for legitimate users. The absence of proper origin validation means attackers can exploit this weakness relatively easily, leveraging automated scripts to flood the server within seconds.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2024-1249",
            },
            {
               category: "external",
               summary: "RHBZ#2262918",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2262918",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2024-1249",
               url: "https://www.cve.org/CVERecord?id=CVE-2024-1249",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1249",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1249",
            },
         ],
         release_date: "2024-04-16T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T19:54:17+00:00",
               details: "To update to the latest Red Hat Single Sign-On 7.6.8 for OpenShift\nimage, Follow these steps to pull in the content:\n\n1. On your main hosts, ensure you are logged into the CLI as a\ncluster administrator or user with project administrator access\nto the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift\nin the \"openshift\" project by running the following commands:\n\n$ for resource in sso76-image-stream.json \\\nsso76-https.json \\\nsso76-mysql.json \\\nsso76-mysql-persistent.json \\\nsso76-postgresql.json \\\nsso76-postgresql-persistent.json \\\nsso76-x509-https.json \\\nsso76-x509-mysql-persistent.json \\\nsso76-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.6.8.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.6.8 for OpenShift streams in the\n\"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso76-openshift:1.0",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1864",
            },
            {
               category: "workaround",
               details: "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.4,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS",
      },
      {
         cve: "CVE-2024-1635",
         cwe: {
            id: "CWE-400",
            name: "Uncontrolled Resource Consumption",
         },
         discovery_date: "2024-02-19T00:00:00+00:00",
         ids: [
            {
               system_name: "Red Hat Bugzilla ID",
               text: "2264928",
            },
         ],
         notes: [
            {
               category: "description",
               text: "A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious user opens and closes a connection with the HTTP port of the server and then closes the connection immediately, the server will end with both memory and open file limits exhausted at some point, depending on the amount of memory available. \r\n\r\nAt HTTP upgrade to remoting, the WriteTimeoutStreamSinkConduit leaks connections if RemotingConnection is closed by Remoting ServerConnectionOpenListener. Because the remoting connection originates in Undertow as part of the HTTP upgrade, there is an external layer to the remoting connection. This connection is unaware of the outermost layer when closing the connection during the connection opening procedure. Hence, the Undertow WriteTimeoutStreamSinkConduit is not notified of the closed connection in this scenario. Because WriteTimeoutStreamSinkConduit creates a timeout task, the whole dependency tree leaks via that task, which is added to XNIO WorkerThread. So, the workerThread points to the Undertow conduit, which contains the connections and causes the leak.",
               title: "Vulnerability description",
            },
            {
               category: "summary",
               text: "undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol",
               title: "Vulnerability summary",
            },
            {
               category: "other",
               text: "This is rated as Important due to the fact that this might be an unauthenticated remote issue exploited by a malicious user, causing a denial of service (DoS) to the affected server.",
               title: "Statement",
            },
            {
               category: "general",
               text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.",
               title: "CVSS score applicability",
            },
         ],
         product_status: {
            fixed: [
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
               "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
            ],
         },
         references: [
            {
               category: "self",
               summary: "Canonical URL",
               url: "https://access.redhat.com/security/cve/CVE-2024-1635",
            },
            {
               category: "external",
               summary: "RHBZ#2264928",
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2264928",
            },
            {
               category: "external",
               summary: "https://www.cve.org/CVERecord?id=CVE-2024-1635",
               url: "https://www.cve.org/CVERecord?id=CVE-2024-1635",
            },
            {
               category: "external",
               summary: "https://nvd.nist.gov/vuln/detail/CVE-2024-1635",
               url: "https://nvd.nist.gov/vuln/detail/CVE-2024-1635",
            },
         ],
         release_date: "2023-10-27T00:00:00+00:00",
         remediations: [
            {
               category: "vendor_fix",
               date: "2024-04-16T19:54:17+00:00",
               details: "To update to the latest Red Hat Single Sign-On 7.6.8 for OpenShift\nimage, Follow these steps to pull in the content:\n\n1. On your main hosts, ensure you are logged into the CLI as a\ncluster administrator or user with project administrator access\nto the global \"openshift\" project. For example:\n\n$ oc login -u system:admin\n\n2. Update the core set of Red Hat Single Sign-On resources for OpenShift\nin the \"openshift\" project by running the following commands:\n\n$ for resource in sso76-image-stream.json \\\nsso76-https.json \\\nsso76-mysql.json \\\nsso76-mysql-persistent.json \\\nsso76-postgresql.json \\\nsso76-postgresql-persistent.json \\\nsso76-x509-https.json \\\nsso76-x509-mysql-persistent.json \\\nsso76-x509-postgresql-persistent.json\ndo\noc replace -n openshift --force -f \\\nhttps://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/v7.6.8.GA/templates/${resource}\ndone\n\n3. Install the Red Hat Single Sign-On 7.6.8 for OpenShift streams in the\n\"openshift\" project by running the following commands:\n\n$ oc -n openshift import-image redhat-sso76-openshift:1.0",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
               restart_required: {
                  category: "none",
               },
               url: "https://access.redhat.com/errata/RHSA-2024:1864",
            },
            {
               category: "workaround",
               details: "No mitigation is currently available for this vulnerability. However, there might be some protections, such as request limits by a load balancer in front of JBoss EAP/Wildfly or even Undertow, that could minimize the impact.",
               product_ids: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "HIGH",
                  baseScore: 7.5,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  version: "3.1",
               },
               products: [
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1909db8bc47fdb4f6512e08fb21ec1457f64fa0abf8edf2530f5bf5a494d9b6d_amd64",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:1f842e8f262ece6cd98941fd29562251e19479eb4f4ba7cbd8e9a3bfa79325f0_s390x",
                  "8Base-RHOSE-Middleware:rh-sso-7/sso76-openshift-rhel8@sha256:b666f093f22ef27811114cca95c20aed890d4f3342116ab990d084cb2627d8cf_ppc64le",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               details: "Important",
            },
         ],
         title: "undertow: Out-of-memory Error after several closed connections with wildfly-http-client protocol",
      },
   ],
}