Product:

Jboss_enterprise_application_platform

(Redhat)
Date Id Summary Products Score Patch Annotated
2020-01-08 CVE-2019-14820 It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. Jboss_enterprise_application_platform, Jboss_fuse, Keycloak, Single_sign\-On 4.3
2021-08-05 CVE-2021-3642 A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. Quarkus, Build_of_quarkus, Codeready_studio, Data_grid, Descision_manager, Integration_camel_k, Integration_camel_quarkus, Jboss_enterprise_application_platform, Jboss_enterprise_application_platform_expansion_pack, Jboss_fuse, Openshift_application_runtimes, Process_automation, Wildfly_elytron 5.3
2021-06-02 CVE-2020-14317 It was found that the issue for security flaw CVE-2019-3805 appeared again in a further version of JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introducing regression. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root. Jboss_enterprise_application_platform, Wildfly 5.5
2021-05-20 CVE-2021-3536 A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. Build_of_quarkus, Data_grid, Descision_manager, Integration_camel_k, Integration_camel_quarkus, Integration_service_registry, Jboss_a\-Mq, Jboss_enterprise_application_platform, Wildfly 4.8
2018-09-18 CVE-2018-14642 An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests. Jboss_enterprise_application_platform, Undertow 5.3
2020-10-16 CVE-2020-14299 A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability. Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On 6.5
2019-05-03 CVE-2019-3894 It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing. Jboss_enterprise_application_platform, Wildfly 8.8
2019-05-03 CVE-2019-3805 A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root. Jboss_enterprise_application_platform, Wildfly 4.7
2019-10-14 CVE-2019-14838 A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server Data_grid, Jboss_enterprise_application_platform, Single_sign\-On, Wildfly_core 4.9
2020-04-21 CVE-2020-1757 A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass. Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Undertow N/A