Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Jboss_enterprise_application_platform
(Redhat)| Repositories |
• https://github.com/FasterXML/jackson-databind
• https://github.com/qos-ch/slf4j • https://github.com/bcgit/bc-java • https://github.com/apache/cxf • https://github.com/dom4j/dom4j |
| #Vulnerabilities | 223 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-03-11 | CVE-2011-2487 | The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack. | Cxf, Wss4j, Jboss_business_rules_management_system, Jboss_enterprise_application_platform, Jboss_enterprise_application_platform_text\-Only_advisories, Jboss_enterprise_soa_platform, Jboss_enterprise_web_platform, Jboss_middleware_text\-Only_advisories, Jboss_portal, Jboss_web_services | 5.9 | ||
| 2020-11-02 | CVE-2020-25689 | A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. | Active_iq_unified_manager, Oncommand_insight, Service_level_manager, Fuse, Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Wildfly | 6.5 | ||
| 2022-05-24 | CVE-2021-3629 | A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. | Active_iq_unified_manager, Oncommand_insight, Oncommand_workflow_automation, Integration, Jboss_enterprise_application_platform, Single_sign\-On, Undertow, Wildfly_core | 5.9 | ||
| 2018-01-24 | CVE-2018-1048 | It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files. | Jboss_enterprise_application_platform | 7.5 | ||
| 2023-01-13 | CVE-2022-3143 | wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user. | Jboss_enterprise_application_platform, Wildfly_elytron | 7.4 | ||
| 2022-08-26 | CVE-2021-3859 | A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks. | Cloud_secure_agent, Oncommand_insight, Oncommand_workflow_automation, Jboss_enterprise_application_platform, Single_sign\-On, Undertow | 7.5 | ||
| 2022-05-24 | CVE-2021-3597 | A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final. | Active_iq_unified_manager, Oncommand_insight, Oncommand_workflow_automation, Fuse, Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On, Undertow | 5.9 | ||
| 2022-05-24 | CVE-2021-3717 | A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0. | Jboss_enterprise_application_platform, Single_sign\-On, Wildfly_core | 7.8 | ||
| 2020-01-23 | CVE-2019-14885 | A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information. | Jboss_enterprise_application_platform, Single_sign\-On | 4.3 | ||
| 2022-08-31 | CVE-2022-1259 | A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629. | Active_iq_unified_manager, Cloud_secure_agent, Oncommand_insight, Oncommand_workflow_automation, Build_of_quarkus, Integration_camel_k, Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On, Undertow | 7.5 |