Product:

Jboss_enterprise_application_platform

(Redhat)
Repositories https://github.com/FasterXML/jackson-databind
https://github.com/qos-ch/slf4j
https://github.com/bcgit/bc-java
https://github.com/apache/cxf
https://github.com/dom4j/dom4j
#Vulnerabilities 223
Date Id Summary Products Score Patch Annotated
2020-01-23 CVE-2012-5626 EJB method in Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; Red Hat JBoss Operations Network 3.1; Red Hat JBoss Portal 4 and 5; Red Hat JBoss SOA Platform 4.2, 4.3, and 5; in Red Hat JBoss Enterprise Web Server 1 ignores roles specified using the @RunAs annotation. Jboss_brms, Jboss_enterprise_application_platform, Jboss_enterprise_web_server, Jboss_operations_network, Jboss_portal, Jboss_soa_platform N/A
2020-01-07 CVE-2019-14843 A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue. Jboss_enterprise_application_platform, Single_sign\-On N/A
2020-01-02 CVE-2014-0169 In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization. Although this is an intended functionality, it was not clearly documented which can mislead users into thinking that a security domain cache is isolated to a single application. Jboss_enterprise_application_platform N/A
2019-12-18 CVE-2012-2312 An Elevated Privileges issue exists in JBoss AS 7 Community Release due to the improper implementation in the security context propagation, A threat gets reused from the thread pool that still retains the security context from the process last used, which lets a local user obtain elevated privileges. Jboss_application_server, Jboss_enterprise_application_platform N/A
2019-12-11 CVE-2013-6495 JBossWeb Bayeux has reflected XSS Jboss_enterprise_application_platform, Jboss_portal N/A
2018-02-15 CVE-2018-1041 A vulnerability was found in the way RemoteMessageChannel, introduced in jboss-remoting versions 3.3.10, reads from an empty buffer. An attacker could use this flaw to cause denial of service via high CPU caused by an infinite loop. Jboss\-Remoting, Jboss_enterprise_application_platform 7.5
2017-05-19 CVE-2017-7504 HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data. Jboss_enterprise_application_platform 9.8
2018-07-27 CVE-2017-2670 It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS. Debian_linux, Jboss_enterprise_application_platform, Undertow 7.5
2018-07-27 CVE-2017-2666 It was discovered in Undertow that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. Debian_linux, Jboss_enterprise_application_platform, Undertow 6.5
2018-07-27 CVE-2017-2595 It was found that the log file viewer in Red Hat JBoss Enterprise Application 6 and 7 allows arbitrary file read to authenticated user via path traversal. Jboss_enterprise_application_platform 6.5