Security

In Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR) a high severity vulnerability CVE-2024-4540 was detected. Client-provided parameters in plain text were found in the KC_RESTART cookie, potentially leading to an information disclosure vulnerability. There’s no fix available for this issue at the moment. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-4540.

In Keycloak versions <= 24.0.3 a medium severity vulnerability CVE-2024-4629 was detected. This vulnerability allows attackers to guess passwords more quickly than intended by exploiting delays in the system’s login attempts. To fix this problem, users should upgrade Keycloak to version 24.0.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-4629.

In Vault versions 1.16.7 and 1.17.3 a medium severity vulnerability CVE-2024-8365 was detected. This vulnerability allows plaintext client tokens and token accessors, which should have been securely hashed, to be stored directly in the audit logs, exposing sensitive information and potentially compromising security. To fix this issue, users should update Vault to versions 1.16.9 or 1.17.5. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8365.

In Authentik versions >= 2024.6.0-rc1, < 2024.6.4 < 2024.4.4 a high severity vulnerability CVE-2024-42490 was detected. The vulnerability allows attackers to potentially access sensitive information, like certificates and private keys, by exploiting endpoints without proper authentication or authorization checks. To fix this issue, users should update Authentik to versions 2024.6.4 or 2024.4.4. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-42490.

In Vault and Vault Enterprise versions prior to 1.17.1 and 1.16.5 a medium severity vulnerability CVE-2024-6468 was detected. This vulnerability allows attackers to avoid security barriers and gain access to protected user information. To fix this problem, users should upgrade Vault and Vault Enterprise to versions 1.17.2, 1.16.6, and 1.15.12. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-6468.

In OpenVPN versions 2.6.10 a high severity vulnerability CVE-2024-28882 was detected. This vulnerability allows attackers, who already have access, to mess up the server’s ability to close connections. To fix this problem, users should upgrade OpenVPN to version 2.6.11. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-28882.

In OpenVPN version 2.6.9 a high severity vulnerability CVE-2024-27459 was detected. This vulnerability allows attackers to gain higher system privileges by sending oversized messages, which can cause the service to malfunction and grant unauthorized access. To fix this problem, users should upgrade OpenVPN to version 2.6.10. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-27459.

In OpenVPN version 2.6.9 a high severity vulnerability CVE-2024-24974 was detected. This vulnerability allows attackers to connect to and interact with this service, potentially gaining unauthorized access to the OpenVPN service. To fix this problem, users should upgrade OpenVPN to version 2.6.10. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-24974.

In OpenVPN versions 2.6.9 and earlier a high severity vulnerability CVE-2024-27903 was detected. The plug-ins on Windows can be loaded from any directory, which allows an attacker to load an arbitrary plug-in, enabling interaction with the privileged OpenVPN interactive service. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-27903.