{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/red-hat/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-14476"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SSSD AD GPO provider","Red Hat Enterprise Linux 10","Red Hat Enterprise Linux 7","Red Hat Enterprise Linux 8","Red Hat Enterprise Linux 9","Red Hat OpenShift Container Platform 4"],"_cs_severities":["high"],"_cs_tags":["path-traversal","privilege-escalation","authentication-bypass","kerberos","linux","red-hat","sssd","cve"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA critical path traversal vulnerability, tracked as CVE-2026-14476, has been identified in the System Security Services Daemon (SSSD) AD GPO provider. This flaw resides within the \u003ccode\u003ead_gpo_extract_smb_components()\u003c/code\u003e function, which fails to properly sanitize \u003ccode\u003e..\u003c/code\u003e sequences embedded within the \u003ccode\u003egPCFileSysPath\u003c/code\u003e LDAP attribute. This oversight enables an attacker, who has already secured Active Directory GPO management privileges, to craft a malicious attribute that directs file writes outside the intended GPO cache directory. Exploitation results in the ability to write arbitrary files as the \u003ccode\u003eroot\u003c/code\u003e user on affected systems. Specifically, on default Red Hat Enterprise Linux (RHEL) configurations with SELinux in enforcing mode, this vulnerability can be leveraged to inject malicious Kerberos configuration, ultimately leading to an authentication bypass, compromising system integrity and access controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains or already possesses valid Active Directory GPO management credentials and access.\u003c/li\u003e\n\u003cli\u003eUsing their GPO management privileges, the attacker modifies the \u003ccode\u003egPCFileSysPath\u003c/code\u003e LDAP attribute to include \u003ccode\u003e..\u003c/code\u003e path traversal sequences.\u003c/li\u003e\n\u003cli\u003eThe crafted \u003ccode\u003egPCFileSysPath\u003c/code\u003e attribute is designed to point to a sensitive system directory outside the normal GPO cache on the target SSSD-managed RHEL system.\u003c/li\u003e\n\u003cli\u003eWhen SSSD's \u003ccode\u003ead_gpo_extract_smb_components()\u003c/code\u003e function processes this attribute, it inadequately sanitizes the \u003ccode\u003e..\u003c/code\u003e sequences, misinterpreting the attacker's intended path.\u003c/li\u003e\n\u003cli\u003eThis allows the attacker to write arbitrary files with \u003ccode\u003eroot\u003c/code\u003e privileges to a chosen location on the affected RHEL system, bypassing normal file system permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a malicious Kerberos configuration file (e.g., within \u003ccode\u003e/etc/krb5.conf.d/\u003c/code\u003e or \u003ccode\u003e/etc/krb5.conf\u003c/code\u003e) into a directory that is processed by the system's Kerberos client.\u003c/li\u003e\n\u003cli\u003eThe injected configuration manipulates Kerberos authentication parameters, potentially redirecting authentication requests or enabling compromise of Kerberos tickets.\u003c/li\u003e\n\u003cli\u003eThis manipulation leads to an authentication bypass, granting the attacker unauthorized access or elevated privileges on the SSSD-managed RHEL system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14476 grants an authenticated attacker (with AD GPO management access) the ability to achieve arbitrary file write as root on targeted Red Hat Enterprise Linux systems. This level of access allows for critical system compromise, including the injection of malicious Kerberos configurations that can lead to a full authentication bypass. The consequence is a complete compromise of system integrity, confidentiality, and availability, enabling unauthorized access to sensitive data and critical system functions. Organizations relying on SSSD for Active Directory integration on RHEL are at risk, with potential for widespread compromise if AD GPO management systems are breached.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-14476 by applying the latest security updates provided by Red Hat for SSSD to all affected Red Hat Enterprise Linux and OpenShift Container Platform installations.\u003c/li\u003e\n\u003cli\u003eReview and restrict Active Directory GPO management access to only necessary administrative accounts, following the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual file creation or modification events in sensitive system directories (e.g., \u003ccode\u003e/etc/krb5.conf\u003c/code\u003e, \u003ccode\u003e/etc/krb5.conf.d/\u003c/code\u003e) on SSSD-managed RHEL systems.\u003c/li\u003e\n\u003cli\u003eImplement host-based intrusion detection systems to alert on unexpected changes to Kerberos configuration files or attempts to write files outside standard GPO cache locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T10:19:46Z","date_published":"2026-07-07T10:19:46Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14476-sssd-path-traversal/","summary":"A path traversal vulnerability (CVE-2026-14476) in SSSD's Active Directory Group Policy Object (AD GPO) provider allows an authenticated attacker with AD GPO management access to write arbitrary files outside the GPO cache directory with root privileges, leading to Kerberos configuration injection and potential authentication bypass on Red Hat Enterprise Linux systems.","title":"CVE-2026-14476: SSSD AD GPO Provider Path Traversal to Root File Write and Authentication Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14476-sssd-path-traversal/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-9165"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Red Hat Advanced Cluster Security for Kubernetes","Red Hat Advanced Cluster Security 4"],"_cs_severities":["medium"],"_cs_tags":["kubernetes","red-hat","dos","vulnerability","graphql"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA high-severity flaw, identified as CVE-2026-9165, has been discovered in Red Hat Advanced Cluster Security for Kubernetes (RHACS). Specifically, the vulnerability affects the Central component of RHACS, which serves as the management plane for cluster security. The issue stems from the authenticated GraphQL API's failure to limit the depth of incoming GraphQL queries. An attacker who has already obtained a valid API token for RHACS Central can exploit this by submitting excessively complex and deeply nested GraphQL queries. This malicious activity leads to uncontrolled resource consumption within the Central component, including CPU and memory. The consequence is a denial of service (DoS) for the entire RHACS management plane, preventing legitimate administrators from monitoring, configuring, or enforcing security policies across their Kubernetes clusters. This vulnerability highlights the importance of input validation and resource governance in API design, even for authenticated endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Prerequisite):\u003c/strong\u003e An attacker gains unauthorized access to a valid API token for the Red Hat Advanced Cluster Security for Kubernetes (RHACS) Central component, potentially through credential compromise or misconfiguration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAPI Identification:\u003c/strong\u003e The attacker identifies the authenticated GraphQL API endpoint exposed by the RHACS Central component.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eQuery Crafting:\u003c/strong\u003e The attacker constructs a GraphQL query with an intentionally deep and complex nesting structure, designed to demand significant computational resources from the server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthenticated Request:\u003c/strong\u003e The crafted, deeply nested GraphQL query is sent by the attacker to the RHACS Central authenticated GraphQL API, using the previously obtained valid API token.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUncontrolled Resource Consumption:\u003c/strong\u003e RHACS Central's GraphQL API processes the received query without enforcing limits on query depth or complexity, causing an exponential increase in its resource utilization (CPU, memory, network).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSystem Degradation:\u003c/strong\u003e The Central component's performance rapidly deteriorates as it struggles to manage the overwhelming resource demands imposed by the malicious query.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service:\u003c/strong\u003e The RHACS Central management plane becomes unresponsive or crashes due to resource exhaustion, effectively preventing legitimate administrative access and rendering the security platform inoperable.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOperational Impact:\u003c/strong\u003e Security operations are disrupted, leading to a loss of visibility, control, and enforcement capabilities for the targeted Kubernetes clusters, potentially creating a window for further attacks or compliance breaches.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-9165 is a denial of service (DoS) for the management plane of Red Hat Advanced Cluster Security for Kubernetes. This means that administrators would be unable to access, configure, or monitor their cluster security posture through the RHACS Central interface. Such an outage could lead to significant operational disruptions, potentially hindering the ability to respond to ongoing security incidents, apply necessary policy updates, or maintain compliance. While no specific victim counts or targeted sectors are provided, any organization utilizing vulnerable versions of RHACS could be affected, facing a critical loss of their security control plane.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-9165:\u003c/strong\u003e Immediately apply the security updates provided by Red Hat to remediate CVE-2026-9165 on all affected Red Hat Advanced Cluster Security for Kubernetes Central components.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor RHACS Central Resources:\u003c/strong\u003e Monitor the CPU, memory, and network utilization of your RHACS Central components for unusual spikes or sustained high usage, which could indicate attempted exploitation of the vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview API Access:\u003c/strong\u003e Regularly audit and rotate API tokens used for RHACS Central to minimize the window of opportunity for an attacker using a compromised token.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T09:27:36Z","date_published":"2026-07-06T09:27:36Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-9165-rhacs-dos/","summary":"An authenticated denial of service vulnerability (CVE-2026-9165) exists in the Red Hat Advanced Cluster Security for Kubernetes (RHACS) Central component, allowing attackers with a valid API token to send deeply nested GraphQL queries that cause excessive resource consumption and render the management plane unavailable.","title":"CVE-2026-9165 - Red Hat Advanced Cluster Security for Kubernetes Central Component Denial of Service","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-9165-rhacs-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["JBoss Enterprise Application Platform"],"_cs_severities":["high"],"_cs_tags":["vulnerability","rce","xss","dos","information-disclosure","red-hat","jboss","enterprise-application-platform","server-side"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA remote, unauthenticated attacker can exploit multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform (EAP) to achieve various malicious outcomes. These vulnerabilities, detailed in a BSI (Cert-Bund) advisory (WID-SEC-2023-0239) published on 2026-07-06, could lead to arbitrary code execution, cross-site scripting (XSS) attacks, sensitive information disclosure, denial of service (DoS) conditions, or the bypass of existing security mechanisms. The unauthenticated and remote nature of these vulnerabilities means they are accessible to a broad range of attackers, increasing the urgency of patching and highlighting the critical need for organizations utilizing JBoss EAP to apply security updates immediately to mitigate significant risks. These flaws affect various components within the JBoss EAP, potentially allowing for full system compromise, unauthorized data access, and disruption of critical business services.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of these vulnerabilities could lead to severe consequences for affected organizations. Arbitrary code execution might result in complete control over the compromised JBoss EAP server, allowing attackers to deploy malware, exfiltrate sensitive data, or establish persistence within the network. Cross-site scripting vulnerabilities could enable session hijacking or credential theft from legitimate users, impacting user data integrity and confidentiality. Information disclosure could expose proprietary business data, customer details, or internal system configurations, leading to compliance violations and reputational damage. Denial of service attacks can disrupt critical applications and services, leading to significant operational downtime and financial losses. The ability to bypass security mechanisms further exacerbates these risks, making the platform vulnerable to subsequent attacks. Given the broad range of potential impacts, organizations must prioritize remediation to prevent significant operational and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply all available security updates and patches for Red Hat JBoss Enterprise Application Platform immediately, as advised by Red Hat and BSI (WID-SEC-2023-0239).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-06T08:21:07Z","date_published":"2026-07-06T08:21:07Z","id":"https://feed.craftedsignal.io/briefs/2026-07-red-hat-jboss-vulnerabilities/","summary":"Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform allow a remote, unauthenticated attacker to execute arbitrary code, perform cross-site scripting (XSS) attacks, disclose sensitive information, cause a denial of service, or bypass security mechanisms, posing a significant risk of system compromise and data exposure.","title":"Red Hat JBoss Enterprise Application Platform: Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-07-red-hat-jboss-vulnerabilities/"}],"language":"en","title":"CraftedSignal Threat Feed - Red-Hat","version":"https://jsonfeed.org/version/1.1"}