Security

In Keycloak versions prior to 26.0.8 a medium severity vulnerability CVE-2024-11736 was detected. This vulnerability allows admin users to access sensitive server environment variables and system properties through URLs. By using placeholders like ${env.VARNAME} or ${PROPNAME}, the server replaces them with actual values during URL processing. To address this issue, users should upgrade Keycloak to version 26.0.8 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11736.

In Keycloak version 21.0.2 a medium severity vulnerability CVE-2024-11734 was detected. This vulnerability allows attackers to disrupt the Keycloak service by modifying security headers, causing requests to fail and the service to become unavailable. To fix this issue, users should upgrade Keycloak to version 26.0.8. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-11734.

In Vaultwarden versions before 1.32.5 a critical severity vulnerability CVE-2024-55225 was detected. This vulnerability allows attackers to impersonate users, including administrators, through a crafted authorization request. To address this issue, users should upgrade Vaultwarden to version 1.32.5 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-55225.

In Vaultwarden version 1.32.5 a low severity vulnerability CVE-2024-55226 was detected. This vulnerability allows attackers to execute authenticated reflected Cross-Site Scripting (XSS) attacks via the `/api/core/mod.rs` component. To address this issue, users should upgrade Vaultwarden to version 1.32.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55226.

In OpenVPN versions prior to 2.6.11 a critical severity vulnerability CVE-2024-5594 was detected. This vulnerability allows attackers to exploit improperly sanitized PUSH_REPLY messages, potentially injecting arbitrary data into third-party executables or plug-ins. To address this issue, users should upgrade to OpenVPN version 2.6.11 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-5594.

In Invoice Ninja versions before 5.10.43 a high severity vulnerability CVE-2024-55555 was detected. This vulnerability allows attackers with access to the APP_KEY to execute remote code without authentication. The issue arises from insecure handling of serialized objects in a pre-authenticated route. To address this issue, users must upgrade to Invoice Ninja version 5.10.43 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55555.

In Vaultwarden versions 1.32.6 and prior a high severity vulnerability CVE-2024-56335 was detected. This vulnerability allows attackers with specific conditions to update or delete groups from an organization, potentially causing denial of service or privilege escalation. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-56335.

In the Keycloak versions before 25.0.0 and before 26.0.6 a medium severity vulnerability CVE-2024-10973 was detected. This vulnerability allows attackers on adjacent networks to access sensitive information due to unencrypted data transmission. To fix this issue, users should upgrade Keycloak to version 26.0.6 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-10973.

In Keycloak OIDC-Client versions 34.0.1 and prior a medium severity vulnerability CVE-2024-12369 was detected. This vulnerability allows attackers to inject a stolen authorization code into their own session, impersonating a victim with the victim’s identity. This attack can be executed via a Man-in-the-Middle (MitM) or phishing attack. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12369.