SB2026031945 - RSA Authentication Manager update for third-party components
Published: March 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 18 secuirty vulnerabilities.
1) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21351)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Improper input validation (CVE-ID: CVE-2026-21925)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the RMI component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
3) Improper input validation (CVE-ID: CVE-2026-21933)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Networking component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
4) Uncontrolled Recursion (CVE-ID: CVE-2025-53864)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack via a deeply nested JSON object supplied in a JWT claim set.
5) Race condition (CVE-ID: CVE-2025-12383)
The vulnerability allows a remote attacker to bypass trust restrictions.
The vulnerability exists due to a race condition in the SSL/TLS configuration handling. A remote attacker can bypass trust restrictions and gain unauthorized access to the application.
6) Protection Mechanism Failure (CVE-ID: CVE-2025-41249)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. A remote attacker can gain access to sensitive information.
7) Resource exhaustion (CVE-ID: CVE-2025-48976)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
8) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21350)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Integer overflow (CVE-ID: CVE-2025-14512)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to integer overflow within the GLib's GIO escape_byte_string() function when processing a malicious file or remote filesystem attribute values. A remote attacker can trick the victim into opening a specially crafted file, trigger an integer overflow and perform a denial of service attack.
10) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21347)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
11) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21346)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21345)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
13) Deserialization of Untrusted Data (CVE-ID: CVE-2021-21342)
The vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and perform SSRF attack.
14) Input validation error (CVE-ID: CVE-2013-7285)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input passed in XML and JSON formats to the Xstream API. A remote attacker can send specially crafted request to the affected application and execute arbitrary code on the target system.
15) Out-of-bounds read (CVE-ID: CVE-2023-53705)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the ipv6_find_tlv() function in net/ipv6/exthdrs_core.c. A local user can perform a denial of service (DoS) attack.
16) Use-after-free (CVE-ID: CVE-2022-50542)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the si470x_usb_driver_probe() function in drivers/media/radio/si470x/radio-si470x-usb.c. A local user can escalate privileges on the system.
17) Missing authorization (CVE-ID: CVE-2025-12817)
The vulnerability allows a remote user to perform a denial of service attack.
The vulnerability exists due to missing authorization in the CREATE STATISTICS command. A remote user can perform denial of service against other CREATE STATISTICS users by creating in any schema.
18) Buffer overflow (CVE-ID: CVE-2025-14087)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the bytestring_parse() and string_parse() functions of the GVariant parser when processing maliciously crafted input strings. A remote attacker can pass specially crafted input to the application, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.