what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 10 of 10 RSS Feed

CVE-2022-0866

Status Candidate

Overview

This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.

Related Files

Red Hat Security Advisory 2022-7410-01
Posted Nov 4, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-7410-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP request smuggling, code execution, cross site scripting, and denial of service vulnerabilities.

tags | advisory, web, denial of service, vulnerability, code execution, xss
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0225, CVE-2022-0866, CVE-2022-2668
SHA-256 | 20de8cac035eb0328ec9dcb7ce2f968147a87e30dacad7dfd94b929d9ff397da
Red Hat Security Advisory 2022-7409-01
Posted Nov 4, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-7409-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP request smuggling, code execution, cross site scripting, and denial of service vulnerabilities.

tags | advisory, web, denial of service, vulnerability, code execution, xss
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0225, CVE-2022-0866, CVE-2022-2668
SHA-256 | c920db1dec3b041d6c286f4114456a9165972f7534a40725c37eb60214d02198
Red Hat Security Advisory 2022-7417-01
Posted Nov 4, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-7417-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.1 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP request smuggling, code execution, cross site scripting, and denial of service vulnerabilities.

tags | advisory, web, denial of service, vulnerability, code execution, xss
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0225, CVE-2022-0866, CVE-2022-2668
SHA-256 | 66e7c910cb690290044b2d3be37ff70715adf821991f2d81a1677e4efb1eff1d
Red Hat Security Advisory 2022-7411-01
Posted Nov 4, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-7411-01 - Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.1 on RHEL 9 serves as a replacement for Red Hat Single Sign-On 7.6.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP request smuggling, code execution, cross site scripting, and denial of service vulnerabilities.

tags | advisory, web, denial of service, vulnerability, code execution, xss
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0225, CVE-2022-0866, CVE-2022-2668
SHA-256 | 783a2b010e945a3b187cff896274ec22adcdcf88ca22b7e1c6c7a3ebc2cc25ec
Red Hat Security Advisory 2022-6782-01
Posted Oct 5, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-6782-01 - Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.5.3 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP request smuggling, code execution, cross site scripting, and denial of service vulnerabilities.

tags | advisory, web, denial of service, vulnerability, code execution, xss
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0225, CVE-2022-0866, CVE-2022-2256, CVE-2022-2668
SHA-256 | 3f148abf3e1d7783fdbb7b295faf665cc66091c74ed2574ed8bb517021defb68
Red Hat Security Advisory 2022-6787-01
Posted Oct 5, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-6787-01 - Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.5.3 serves as a replacement for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP request smuggling, code execution, cross site scripting, and denial of service vulnerabilities.

tags | advisory, web, denial of service, vulnerability, code execution, xss
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0225, CVE-2022-0866, CVE-2022-2256, CVE-2022-2668
SHA-256 | 271756341073654fcee5cc794ed943b6caf607b6082cce3ac034db8a5cd1903a
Red Hat Security Advisory 2022-6783-01
Posted Oct 5, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-6783-01 - Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.5.3 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include HTTP request smuggling, code execution, cross site scripting, and denial of service vulnerabilities.

tags | advisory, web, denial of service, vulnerability, code execution, xss
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0225, CVE-2022-0866, CVE-2022-2256, CVE-2022-2668
SHA-256 | c634291e814c5d71d9282254b7ea4a4726267ec9b38abf7abd26f66ed5f82571
Red Hat Security Advisory 2022-4919-01
Posted Jun 7, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-4919-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.5 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include HTTP request smuggling, code execution, denial of service, memory leak, and traversal vulnerabilities.

tags | advisory, java, web, denial of service, vulnerability, code execution, memory leak
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2021-37136, CVE-2021-37137, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0853, CVE-2022-0866, CVE-2022-1319, CVE-2022-21299, CVE-2022-21363, CVE-2022-23221, CVE-2022-23437, CVE-2022-23913, CVE-2022-24785
SHA-256 | bf1afc73c8ba9c4a4c22d13d1cf262785aff0e2266900d5107732077a9be4c4c
Red Hat Security Advisory 2022-4918-01
Posted Jun 7, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-4918-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.5 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include HTTP request smuggling, code execution, denial of service, memory leak, and traversal vulnerabilities.

tags | advisory, java, web, denial of service, vulnerability, code execution, memory leak
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2021-37136, CVE-2021-37137, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0853, CVE-2022-0866, CVE-2022-1319, CVE-2022-21299, CVE-2022-21363, CVE-2022-23221, CVE-2022-23437, CVE-2022-23913, CVE-2022-24785
SHA-256 | 8f6215dbc6e2ca60403953e5fff933cecb7aae3db0e8684fc171f45b5bcbc430
Red Hat Security Advisory 2022-4922-01
Posted Jun 7, 2022
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2022-4922-01 - Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.4 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.5 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include HTTP request smuggling, code execution, denial of service, memory leak, and traversal vulnerabilities.

tags | advisory, java, web, denial of service, vulnerability, code execution, memory leak
systems | linux, redhat
advisories | CVE-2020-36518, CVE-2021-37136, CVE-2021-37137, CVE-2021-42392, CVE-2021-43797, CVE-2022-0084, CVE-2022-0853, CVE-2022-0866, CVE-2022-1319, CVE-2022-21299, CVE-2022-21363, CVE-2022-23221, CVE-2022-23437, CVE-2022-23913, CVE-2022-24785
SHA-256 | 7662acf836b5f242e6276a07b00c0aa87639c1a35f4ad678bade67af019843c5
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close