Executive Summary
| Summary | |
|---|---|
| Title | Red Hat Single Sign-On 7.3.2 security update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2019:1456 | First vendor Publication | 2019-06-11 |
| Vendor | RedHat | Last vendor Modification | 2019-06-11 |
| Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:M/Au:S/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 6 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Medium |
| Cvss Expoit Score | 6.8 | Authentication | Requires single instance |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.2 serves as a replacement for Red Hat Single Sign-On 7.3.1, and includes bug fixes and enhancements, which are documented in the Release Notes document. Security Fix(es): * bootstrap: XSS in the data-target attribute (CVE-2016-10735) * bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041) * bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676) * bootstrap: XSS in the affix configuration target property (CVE-2018-20677) * picketlink: reflected XSS in SAMLRequest via RelayState parameter (CVE-2019-3872) * picketlink: URL injection via xinclude parameter (CVE-2019-3873) * keycloak: X.509 authentication: CRL signatures are not verified (CVE-2019-3875) * undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888) * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) * keycloak: Node.js adapter internal NBF can be manipulated (CVE-2019-10157) * js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1601616 - CVE-2018-14041 bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy 1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute 1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute 1688966 - CVE-2019-3872 picketlink: reflected XSS in SAMLRequest via RelayState parameter 1689014 - CVE-2019-3873 picketlink: URL injection via xinclude parameter 1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates 1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed 1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection 1702953 - CVE-2019-10157 keycloak: Node.js adapter internal NBF can be manipulated leading to DoS. 5. References: https://access.redhat.com/security/cve/CVE-2016-10735 https://access.redhat.com/security/cve/CVE-2018-14041 https://access.redhat.com/security/cve/CVE-2018-20676 https://access.redhat.com/security/cve/CVE-2018-20677 https://access.redhat.com/security/cve/CVE-2019-3872 https://access.redhat.com/security/cve/CVE-2019-3873 https://access.redhat.com/security/cve/CVE-2019-3875 https://access.redhat.com/security/cve/CVE-2019-3888 https://access.redhat.com/security/cve/CVE-2019-8331 https://access.redhat.com/security/cve/CVE-2019-10157 https://access.redhat.com/security/cve/CVE-2019-11358 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/ |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2019-1456.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 70 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
| 10 % | CWE-532 | Information Leak Through Log Files |
| 10 % | CWE-295 | Certificate Issues |
| 10 % | CWE-287 | Improper Authentication |
CPE : Common Platform Enumeration
Alert History
| Date | Informations |
|---|---|
| 2020-03-19 13:18:30 |
|
