Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Jboss_enterprise_application_platform
(Redhat)| Repositories |
• https://github.com/FasterXML/jackson-databind
• https://github.com/qos-ch/slf4j • https://github.com/bcgit/bc-java • https://github.com/apache/cxf • https://github.com/dom4j/dom4j |
| #Vulnerabilities | 223 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2017-05-18 | CVE-2017-7503 | It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. An attacker could use this flaw to launch DoS or SSRF attacks, or read files from the server where EAP is deployed. | Jboss_enterprise_application_platform | 9.8 | ||
| 2018-07-26 | CVE-2017-2582 | It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response. | Jboss_enterprise_application_platform, Keycloak | 6.5 | ||
| 2017-10-04 | CVE-2017-12149 | In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. | Jboss_enterprise_application_platform | 9.8 | ||
| 2016-10-13 | CVE-2016-7065 | The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object. | Jboss_enterprise_application_platform | 8.8 | ||
| 2016-10-03 | CVE-2016-7046 | Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a denial of service (CPU and disk consumption) via a long URL. | Jboss_enterprise_application_platform | 5.9 | ||
| 2017-08-22 | CVE-2016-6311 | Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. | Jboss_enterprise_application_platform | 5.3 | ||
| 2016-09-26 | CVE-2016-5406 | The domain controller in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2 allows remote authenticated users to gain privileges by leveraging failure to propagate administrative RBAC configuration to all slaves. | Jboss_enterprise_application_platform | 8.8 | ||
| 2016-09-26 | CVE-2016-4993 | CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | Jboss_enterprise_application_platform, Jboss_wildfly_application_server | 6.1 | ||
| 2017-06-08 | CVE-2016-3690 | The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload. | Jboss_enterprise_application_platform | 9.8 | ||
| 2015-12-16 | CVE-2015-5304 | Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does not properly authorize access to shut down the server, which allows remote authenticated users with the Monitor, Deployer, or Auditor role to cause a denial of service via unspecified vectors. | Jboss_enterprise_application_platform | N/A |