Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Decision_manager
(Redhat)| Repositories |
• https://github.com/FasterXML/jackson-databind
• https://github.com/kiegroup/jbpm-designer |
| #Vulnerabilities | 20 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-07-06 | CVE-2019-14900 | A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. | Hibernate_orm, Quarkus, Build_of_quarkus, Decision_manager, Fuse, Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_middleware_text\-Only_advisories, Openstack, Single_sign\-On | 6.5 | ||
| 2020-03-05 | CVE-2019-14886 | A vulnerability was found in business-central, as shipped in rhdm-7.5.1 and rhpam-7.5.1, where encoded passwords are stored in errai_security_context. The encoding used for storing the passwords is Base64, not an encryption algorithm, and any recovery of these passwords could lead to user passwords being exposed. | Decision_manager, Process_automation_manager | 6.5 | ||
| 2022-10-17 | CVE-2019-14840 | A flaw was found in the RHDM, where sensitive HTML form fields like Password has auto-complete enabled which may lead to leak of credentials. | Decision_manager | 7.5 | ||
| 2022-10-17 | CVE-2019-14841 | A flaw was found in the RHDM, where an authenticated attacker can change their assigned role in the response header. This flaw allows an attacker to gain admin privileges in the Business Central Console. | Decision_manager, Process_automation | 8.8 | ||
| 2020-01-02 | CVE-2019-14862 | There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. | Knockout, Business_intelligence, Goldengate, Decision_manager, Process_automation | 6.1 | ||
| 2020-09-16 | CVE-2020-1748 | A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources. | Decision_manager, Process_automation, Wildfly_elytron | 7.5 | ||
| 2020-05-13 | CVE-2020-1714 | A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. | Quarkus, Decision_manager, Jboss_fuse, Keycloak, Openshift_application_runtimes, Process_automation, Single_sign\-On | 8.8 | ||
| 2020-01-02 | CVE-2019-14863 | There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it. | Angular\.js, Decision_manager, Process_automation | N/A | ||
| 2018-07-26 | CVE-2017-7545 | It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks. | Decision_manager, Jboss_bpm_suite, Jbpm | 6.5 |