Threats Tagged 'csaf'

Red Hat has issued a security advisory (RHSA-2026:5994) addressing a medium severity vulnerability identified as CVE-2025-15367 affecting Red Hat Hardened Images RPMs, specifically python3.14 packages. The update includes bug fixes and enhancements across multiple python3.14-related RPMs for aarch64 and x86_64 architectures. No known exploits are reported in the wild. The advisory does not specify affected product versions or detailed vulnerability impact beyond the CWE-77 classification.

The multicluster engine for Kubernetes v2.11.0 by Red Hat provides foundational components for centralized management of multiple Kubernetes clusters across various environments. This release includes new features, enhancements, and bug fixes. The advisory references multiple CVEs affecting the engine but does not specify affected versions or provide patch details. No known exploits are reported in the wild.

Poppler is a Portable Document Format (PDF) rendering library, used by applications such as Evince. Security Fix(es): * poppler: Integer overflow in Poppler SplashOutputDev::tilingPatternFill leads to heap buffer overflow via unchecked dimension multiplication (CVE-2026-10118) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers. Security Fix(es): * httpd: HTTP/2: Remote Denial of Service via compression bomb and Slowloris-style attack (CVE-2026-49975) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.21.19. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHBA-2026:23239 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.redhat.com/en/documentation/openshift_container_platform/4.21/html/release_notes/

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.19.33. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2026:23244 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/release_notes/

The gdk-pixbuf2 packages provide an image loading library that can be extended by loadable modules for new image formats. It is used by toolkits such as GTK+ or clutter. Security Fix(es): * gdk-pixbuf: gdk-pixbuf: Denial of Service via heap-based buffer overflow when processing a specially crafted JPEG image (CVE-2026-5201) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services. Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.6.3 clusters. This erratum releases new images for Red Hat build of Keycloak 26.6.3 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release. Security fixes: * Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792) * Privilege escalation due to oversized subject_token JWT (CVE-2026-9704) * Denial of Service via malformed LDAP password policy response (CVE-2026-9801) * Denial of Service via malformed Authorization header (CVE-2026-9803) * Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791) * Information disclosure via SAML ECP endpoint (CVE-2026-9794) * Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802) * Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087) * Information disclosure due to user profile permission bypass (CVE-2026-9088) * Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830) * Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500) * Security flaw in org.keycloak/keycloak-services (CVE-2026-8922) * Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977) * Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.

UniFi ist Ubiquiti's End-to-End-Netzwerk-Ökosystem für Unternehmen und Smart Homes.