In Keycloak versions prior to 24.0.6 a medium severity vulnerability CVE-2024-7318 was detected. This vulnerability allows expired OTP codes to remain valid for an extra 30 seconds, extending the attack window and making two OTPs valid simultaneously. To fix this problem, users should upgrade Keycloak to version 24.0.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7318.
Read more Security
In Keycloak versions before 24.0.7 a medium severity vulnerability CVE-2024-7260 was detected. This vulnerability allows attackers to craft a URL that tricks users or automation into visiting a malicious webpage by exploiting the referrer and referrer_uri parameters. To fix this issue, administrators should carefully validate and sanitize URL parameters and upgrate to 24.0.7 version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-7260.
Read more Security
In Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR) a high severity vulnerability CVE-2024-4540 was detected. Client-provided parameters in plain text were found in the KC_RESTART cookie, potentially leading to an information disclosure vulnerability. There’s no fix available for this issue at the moment. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4540.
Read more Security
In Keycloak all versions a low severity vulnerability CVE-2024-5203 was detected. This vulnerability allows attackers to craft a fake login page and trick users into authenticating with an attacker-controlled account due to a missing unique token in the authentication POST request. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5203.
Read more Security
In Keycloak versions <= 24.0.3 a medium severity vulnerability CVE-2024-4629 was detected. This vulnerability allows attackers to guess passwords more quickly than intended by exploiting delays in the system’s login attempts. To fix this problem, users should upgrade Keycloak to version 24.0.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-4629.
Read more Security
In Vault versions 1.16.7 and 1.17.3 a medium severity vulnerability CVE-2024-8365 was detected. This vulnerability allows plaintext client tokens and token accessors, which should have been securely hashed, to be stored directly in the audit logs, exposing sensitive information and potentially compromising security. To fix this issue, users should update Vault to versions 1.16.9 or 1.17.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8365.
Read more Security
In Authentik versions >= 2024.6.0-rc1, < 2024.6.4 < 2024.4.4 a high severity vulnerability CVE-2024-42490 was detected. The vulnerability allows attackers to potentially access sensitive information, like certificates and private keys, by exploiting endpoints without proper authentication or authorization checks. To fix this issue, users should update Authentik to versions 2024.6.4 or 2024.4.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42490.
Read more Security
In Nextcloud Server versions 25.0.0 to 25.0.6 and 26.0.0 to 26.0.1 a low severity vulnerability CVE-2024-37314 was detected in the Nextcloud Photos app. This vulnerability allows users to remove photos from the albums of registered users. To address this issue, it is recommended to upgrade to Nextcloud Server version 25.0.7 or 26.0.2 and Nextcloud Enterprise Server version 25.0.7 or 26.0.2. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37314.
Read more Storage
In Nextcloud Server versions 27.1.9 and earlier a low severity vulnerability CVE-2024-37887 was detected. This vulnerability allows attackers to read private shared calendar events’ recurrence exceptions. To address this issue, it is recommended to upgrade to Nextcloud Server version 27.1.10, 28.0.6, or 29.0.1, and Nextcloud Enterprise Server to version 27.1.10, 28.0.6, or 29.0.1. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37887.
Read more Storage