Product:

Jboss_enterprise_application_platform

(Redhat)
Date ID Summary Products Score Patch
2020-01-08 CVE-2019-14820 It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. Jboss_enterprise_application_platform, Jboss_fuse, Keycloak, Single_sign\-On N/A
2020-01-07 CVE-2019-14843 A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue. Jboss_enterprise_application_platform, Single_sign\-On N/A
2020-01-02 CVE-2014-0169 In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an intended functionality, it was not clearly documented which can mislead users into thinking that a security domain cache is isolated to a single application. Jboss_enterprise_application_platform N/A
2019-11-08 CVE-2019-10219 A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Hibernate\-Validator, Jboss_data_grid, Jboss_enterprise_application_platform, Single_sign\-On N/A
2019-12-18 CVE-2012-2312 An Elevated Privileges issue exists in JBoss AS 7 Community Release due to the improper implementation in the security context propagation, A threat gets reused from the thread pool that still retains the security context from the process last used, which lets a local user obtain elevated privileges. Jboss_application_server, Jboss_enterprise_application_platform N/A
2019-12-11 CVE-2013-6495 JBossWeb Bayeux has reflected XSS Jboss_enterprise_application_platform, Jboss_portal N/A
2019-10-14 CVE-2019-14838 A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server Jboss_enterprise_application_platform, Wildfly_core N/A
2019-11-18 CVE-2019-10172 A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. Jackson\-Mapper\-Asl, Jboss_enterprise_application_platform, Jboss_fuse N/A
2016-09-01 CVE-2016-2183 The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. Content_security_management_appliance, Openssl, Database, Python, Enterprise_linux, Jboss_enterprise_application_platform, Jboss_enterprise_web_server, Jboss_web_server 7.5
2018-05-21 CVE-2018-1067 In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value. Jboss_enterprise_application_platform, Undertow, Virtualization 6.1