Jboss Enterprise Application Platform

jboss_enterprise_application_platform

Vendor: Redhat • 243 CVEs

CVEs (243)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-0205 3Apache OracleRedhat 3Communications Cloud Native Core Network Slice Selection Function Jboss Enterprise Application PlatformThrift Nov 21, 2024 Oct 29, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, dependin...Show more In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.Show less
CVE-2019-14838 1Redhat 4Data Grid Jboss Enterprise Application PlatformSingle Sign On+1 more Nov 21, 2024 Oct 14, 2019 N/A· v4 4.9 MEDIUM· v3 4.0 MEDIUM· v2 A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server
CVE-2019-17531 5Debian FasterxmlNetapp+2 more 22Banking Platform Communications Billing And Revenue ManagementCommunications Calendar Server+19 more Nov 21, 2024 Oct 12, 2019 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the se...Show more A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.Show less
CVE-2019-17267 5Debian FasterxmlNetapp+2 more 12Active Iq Unified Manager Customer Management And Segmentation FoundationDebian Linux+9 more Nov 21, 2024 Oct 7, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
CVE-2019-10212 2Netapp Redhat 7Active Iq Unified Manager Jboss Data GridJboss Enterprise Application Platform+4 more Nov 21, 2024 Oct 2, 2019 N/A· v4 9.8 CRITICAL· v3 4.3 MEDIUM· v2 A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.
CVE-2019-16943 6Debian FasterxmlFedoraproject+3 more 26Active Iq Unified Manager Banking PlatformCommunications Billing And Revenue Management+23 more Nov 21, 2024 Oct 1, 2019 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the se...Show more A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.Show less
CVE-2019-16942 6Debian FasterxmlFedoraproject+3 more 28Active Iq Unified Manager Banking PlatformCommunications Billing And Revenue Management+25 more Nov 21, 2024 Oct 1, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the se...Show more A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.Show less
CVE-2019-10202 1Redhat 1Jboss Enterprise Application Platform Nov 21, 2024 Oct 1, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2...Show more A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.Show less
CVE-2019-16869 4Canonical DebianNetty+1 more 4Debian Linux Jboss Enterprise Application PlatformNetty+1 more Jul 7, 2025 Sep 26, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CVE-2019-16335 6Debian FasterxmlFedoraproject+3 more 17Banking Platform Customer Management And Segmentation FoundationDebian Linux+14 more Nov 21, 2024 Sep 15, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
CVE-2019-14540 6Debian FasterxmlFedoraproject+3 more 19Banking Platform Customer Management And Segmentation FoundationDebian Linux+16 more Nov 21, 2024 Sep 15, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
CVE-2019-12400 3Apache OracleRedhat 3Jboss Enterprise Application Platform Santuario Xml Security For JavaWeblogic Server Nov 21, 2024 Aug 23, 2019 N/A· v4 5.5 MEDIUM· v3 1.9 LOW· v2 In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a m...Show more In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.Show less
CVE-2019-10086 6Apache DebianFedoraproject+3 more 60Agile Plm Agile Product Lifecycle Management Integration PackApplication Testing Suite+57 more Nov 21, 2024 Aug 20, 2019 N/A· v4 7.3 HIGH· v3 7.5 HIGH· v2 In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, howev...Show more In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.Show less
CVE-2019-9518 11Apache AppleCanonical+8 more 18Debian Linux Diskstation ManagerEnterprise Linux+15 more Jan 14, 2025 Aug 13, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These fra...Show more Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.Show less
CVE-2019-9517 12Apache AppleCanonical+9 more 23Clustered Data Ontap Communications Element ManagerDebian Linux+20 more Jan 14, 2025 Aug 13, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they...Show more Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.Show less
CVE-2019-9516 12Apache AppleCanonical+9 more 19Debian Linux Diskstation ManagerEnterprise Linux+16 more Jan 14, 2025 Aug 13, 2019 N/A· v4 6.5 MEDIUM· v3 6.8 MEDIUM· v2 Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman en...Show more Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.Show less
CVE-2019-9515 12Apache AppleCanonical+9 more 22Big Ip Local Traffic Manager Debian LinuxDiskstation Manager+19 more Jan 14, 2025 Aug 13, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one...Show more Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.Show less
CVE-2019-9514 13Apache AppleCanonical+10 more 28Big Ip Local Traffic Manager Cloud InsightsDebian Linux+25 more Jan 14, 2025 Aug 13, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream o...Show more Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.Show less
CVE-2019-9513 12Apache AppleCanonical+9 more 20Debian Linux Diskstation ManagerEnterprise Communications Broker+17 more Jan 14, 2025 Aug 13, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that c...Show more Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.Show less
CVE-2019-9511 12Apache AppleCanonical+9 more 20Debian Linux Diskstation ManagerEnterprise Communications Broker+17 more Jan 14, 2025 Aug 13, 2019 N/A· v4 7.5 HIGH· v3 7.8 HIGH· v2 Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified res...Show more Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.Show less

Previous 1...456...13 Next