In Authentik a high severity vulnerability CVE-2024-37905 was detected. This vulnerability allows attackers to get admin access. To address this issue, users should update Authentik to versions 2024.6.0, 2024.2.4, and 2024.4.3. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-37905/.
Read more Security
In FreeIPA a high severity vulnerability CVE-2024-2698 was detected. This vulnerability allows attackers to get access by bypassing the authorization. There is not solution to this yet. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-2698/.
Read more Security
In Keycloak a low severity vulnerability CVE-2024-5967 was detected. This flaw in the LDAP testing endpoint of Keycloak allows an attacker with admin access to change the LDAP connection URL to their server, potentially exposing domain credentials. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5967/.
Read more Security
In FreeIPA involving Kerberos TGS-REQ (Ticket Granting Service Request) a high severity vulnerability CVE-2024-3183 was detected. It allows attackers who compromise a principal to potentially decrypt tickets encrypted with other principals’ keys. By offline brute-force attacks on stolen tickets and salts, attackers could find passwords and decrypt these tickets. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-3183.
Read more Security
In WooCommerce a medium severity vulnerability CVE-2024-35634 was detected. This vulnerability allows attackers to include local PHP files by using recent purchases. There is no solution to this yet. For more details, visit https://www.cvedetails.com/cve/CVE-2024-35634/.
Read more Security
In Keycloak a high severity vulnerability CVE-2024-1132 was detected. URLs included in a redirect are not properly validated. Attackers can create malicious requests to bypass validation and access other URLs and sensitive information. It affects clients using a wildcard in the Valid Redirect URIs field and needs user interaction. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-1132/.
Read more Security
In the Keycloak OpenID Connect component in the “checkLoginIframe” a high severity vulnerability CVE-2024-1249 was detected. The vulnerability allows unvalidated cross-origin messages. Attackers can coordinate and send millions of requests in seconds using simple code. It significantly impacts the application’s availability without proper origin validation for incoming messages. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-1249/.
Read more Security
In Vault and Vault Enterprise versions from 1.14.0 up to 1.15.6 and 1.14.10 a medium severity vulnerability CVE-2024-2660 was detected. The TLS certificate authentication method failed to verify Online Certificate Status Protocol (OCSP) responses from multiple sources, potentially allowing unauthorized access. This issue is resolved in Vault version 1.16.0 and Vault Enterprise versions 1.16.1, 1.15.7, and 1.14.11. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-2660/.
Read more Security
In FreeIPA a medium severity vulnerability CVE-2024-1481 was detected. This issue may cause some failures in authentication processes, but it does not allow anyone to access sensitive data or damage the integrity of the system. For more information, visit https://avd.aquasec.com/nvd/2024/cve-2024-1481.
Read more Security