Jboss Enterprise Application Platform

jboss_enterprise_application_platform

Vendor: Redhat • 243 CVEs

CVEs (243)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-14379 7Apple DebianFasterxml+4 more 24Active Iq Unified Manager Banking PlatformCommunications Diameter Signaling Router+21 more Nov 21, 2024 Jul 29, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code ex...Show more SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.Show less
CVE-2019-10184 2Netapp Redhat 6Active Iq Unified Manager Jboss Data GridJboss Enterprise Application Platform+3 more Nov 21, 2024 Jul 25, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.
CVE-2019-3873 1Redhat 2Jboss Enterprise Application Platform Single Sign On Nov 21, 2024 Jun 12, 2019 N/A· v4 9.0 CRITICAL· v3 6.0 MEDIUM· v2 It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting...Show more It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.Show less
CVE-2019-3872 1Redhat 2Jboss Enterprise Application Platform Single Sign On Nov 21, 2024 Jun 12, 2019 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-...Show more It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks.Show less
CVE-2019-3894 1Redhat 2Jboss Enterprise Application Platform Wildfly Nov 21, 2024 May 3, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time h...Show more It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing.Show less
CVE-2019-3805 1Redhat 2Jboss Enterprise Application Platform Wildfly Nov 21, 2024 May 3, 2019 N/A· v4 4.7 MEDIUM· v3 4.7 MEDIUM· v2 A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying...Show more A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.Show less
CVE-2018-10934 1Redhat 2Jboss Enterprise Application Platform Single Sign On Nov 21, 2024 Mar 27, 2019 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privi...Show more A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users.Show less
CVE-2018-12023 5Debian FasterxmlFedoraproject+2 more 11Automation Manager Debian LinuxDecision Manager+8 more Nov 21, 2024 Mar 21, 2019 N/A· v4 7.5 HIGH· v3 5.1 MEDIUM· v2 An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpa...Show more An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.Show less
CVE-2018-12022 5Debian FasterxmlFedoraproject+2 more 11Automation Manager Debian LinuxDecision Manager+8 more Nov 21, 2024 Mar 21, 2019 N/A· v4 7.5 HIGH· v3 5.1 MEDIUM· v2 An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database acce...Show more An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.Show less
CVE-2018-14721 4Debian FasterxmlOracle+1 more 12Banking Platform Communications Billing And Revenue ManagementDebian Linux+9 more Nov 21, 2024 Jan 2, 2019 N/A· v4 10.0 CRITICAL· v3 7.5 HIGH· v2 FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
CVE-2018-14720 4Debian FasterxmlOracle+1 more 12Banking Platform Communications Billing And Revenue ManagementDebian Linux+9 more Nov 21, 2024 Jan 2, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CVE-2018-14642 1Redhat 2Jboss Enterprise Application Platform Undertow Nov 21, 2024 Sep 18, 2018 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBu...Show more An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.Show less
CVE-2016-7066 1Redhat 1Jboss Enterprise Application Platform Nov 21, 2024 Sep 11, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 It was found that the improper default permissions on /tmp/auth directory in JBoss Enterprise Application Platform before 7.1.0 can allow any local user to connect to CLI and allow the user to execute any arbitrary opera...Show more It was found that the improper default permissions on /tmp/auth directory in JBoss Enterprise Application Platform before 7.1.0 can allow any local user to connect to CLI and allow the user to execute any arbitrary operations.Show less
CVE-2016-7061 1Redhat 1Jboss Enterprise Application Platform Nov 21, 2024 Sep 10, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 An information disclosure vulnerability was found in JBoss Enterprise Application Platform before 7.0.4. It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are ab...Show more An information disclosure vulnerability was found in JBoss Enterprise Application Platform before 7.0.4. It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information.Show less
CVE-2018-1000632 5Debian Dom4j ProjectNetapp+2 more 14Debian Linux Dom4jFlexcube Investor Servicing+11 more Nov 21, 2024 Aug 20, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection....Show more dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.Show less
CVE-2018-1336 4Apache CanonicalDebian+1 more 8Debian Linux Enterprise Linux DesktopEnterprise Linux Server+5 more Nov 21, 2024 Aug 2, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5...Show more An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.Show less
CVE-2016-8657 1Redhat 1Jboss Enterprise Application Platform Nov 21, 2024 Jul 31, 2018 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On syst...Show more It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted.Show less
CVE-2017-2670 2Debian Redhat 3Debian Linux Jboss Enterprise Application PlatformUndertow Nov 21, 2024 Jul 27, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS.
CVE-2017-2595 1Redhat 1Jboss Enterprise Application Platform Nov 21, 2024 Jul 27, 2018 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal.
CVE-2017-12165 1Redhat 2Jboss Enterprise Application Platform Undertow Nov 21, 2024 Jul 27, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.

Previous 1...567...13 Next