Redhat Single_sign-on
110 CVEs affecting Redhat Single_sign-on. Latest disclosed: 2026-03-27. Critical: 6, High: 47.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2022-4361 | Critical | 10.0 | 2023-07-07 | Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerabili… |
CVE-2019-10212 | Critical | 9.8 | 2019-10-02 | A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the… |
CVE-2019-14379 | Critical | 9.8 | 2019-07-29 | SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manage… |
CVE-2025-12543 | Critical | 9.6 | 2026-01-07 | A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly val… |
CVE-2019-14887 | Critical | 9.1 | 2020-03-16 | A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker… |
CVE-2019-14837 | Critical | 9.1 | 2020-01-07 | A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a clien… |
CVE-2020-1714 | High | 8.8 | 2020-05-13 | A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker… |
CVE-2019-14843 | High | 8.8 | 2020-01-07 | A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app… |
CVE-2019-10174 | High | 8.8 | 2019-11-25 | A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke priva… |
CVE-2026-28369 | High | 8.7 | 2026-03-27 | A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the r… |
CVE-2026-28368 | High | 8.7 | 2026-03-27 | A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by… |
CVE-2026-28367 | High | 8.7 | 2026-03-27 | A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request s… |
CVE-2026-3009 | High | 8.1 | 2026-03-05 | A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it… |
CVE-2024-1132 | High | 8.1 | 2024-04-17 | A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious requ… |
CVE-2022-4137 | High | 8.1 | 2023-09-25 | A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious l… |
CVE-2020-1757 | High | 8.1 | 2020-04-21 | A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final… |
CVE-2019-10201 | High | 8.1 | 2019-08-14 | It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and remove… |
CVE-2018-14657 | High | 8.1 | 2018-11-13 | A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection algorithm will not enforce it… |
CVE-2022-4039 | High | 8.0 | 2023-09-22 | A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allow… |
CVE-2021-3717 | High | 7.8 | 2022-05-24 | A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all u… |