Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Jboss_enterprise_application_platform
(Redhat)| Repositories |
• https://github.com/FasterXML/jackson-databind
• https://github.com/qos-ch/slf4j • https://github.com/bcgit/bc-java • https://github.com/apache/cxf • https://github.com/dom4j/dom4j |
| #Vulnerabilities | 223 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2022-03-11 | CVE-2022-0853 | A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability. | Descision_manager, Jboss_enterprise_application_platform, Jboss_enterprise_application_platform_expansion_pack, Process_automation, Single_sign\-On | 7.5 | ||
| 2020-06-10 | CVE-2020-10705 | A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service. | Oncommand_insight, Jboss_enterprise_application_platform, Openshift_application_runtimes, Undertow | 7.5 | ||
| 2019-07-25 | CVE-2019-10184 | undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. | Active_iq_unified_manager, Jboss_data_grid, Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On, Undertow | 7.5 | ||
| 2019-10-02 | CVE-2019-10212 | A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. | Active_iq_unified_manager, Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Undertow | 9.8 | ||
| 2019-11-25 | CVE-2019-10174 | A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. | Infinispan, Active_iq_unified_manager, Fuse, Jboss_data_grid, Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On | 8.8 | ||
| 2021-12-23 | CVE-2021-20318 | The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage. | Jboss_enterprise_application_platform | 7.2 | ||
| 2020-09-09 | CVE-2020-14384 | A flaw was found in JBossWeb in versions before 7.5.31.Final-redhat-3. The fix for CVE-2020-13935 was incomplete in JBossWeb, leaving it vulnerable to a denial of service attack when sending multiple requests with invalid payload length in a WebSocket frame. The highest threat from this vulnerability is to system availability. | Jboss_enterprise_application_platform, Jbossweb | 7.5 | ||
| 2020-03-16 | CVE-2019-14887 | A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. | Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Wildfly | 9.1 | ||
| 2020-01-08 | CVE-2019-14820 | It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. | Jboss_enterprise_application_platform, Jboss_fuse, Keycloak, Single_sign\-On | 4.3 | ||
| 2021-08-05 | CVE-2021-3642 | A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. | Quarkus, Build_of_quarkus, Codeready_studio, Data_grid, Descision_manager, Integration_camel_k, Integration_camel_quarkus, Jboss_enterprise_application_platform, Jboss_enterprise_application_platform_expansion_pack, Jboss_fuse, Openshift_application_runtimes, Process_automation, Wildfly_elytron | 5.3 |