Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Jboss_enterprise_application_platform
(Redhat)| Repositories |
• https://github.com/FasterXML/jackson-databind
• https://github.com/bcgit/bc-java • https://github.com/qos-ch/slf4j • https://github.com/apache/cxf • https://github.com/dom4j/dom4j |
| #Vulnerabilities | 228 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-10-01 | CVE-2019-10202 | A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike. | Jboss_enterprise_application_platform | 9.8 | ||
| 2019-11-18 | CVE-2019-10172 | A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. | Spark, Debian_linux, Jackson\-Mapper\-Asl, Jboss_enterprise_application_platform, Jboss_fuse | 7.5 | ||
| 2020-03-11 | CVE-2011-2487 | The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack. | Cxf, Wss4j, Jboss_business_rules_management_system, Jboss_enterprise_application_platform, Jboss_enterprise_application_platform_text\-Only_advisories, Jboss_enterprise_soa_platform, Jboss_enterprise_web_platform, Jboss_middleware_text\-Only_advisories, Jboss_portal, Jboss_web_services | 5.9 | ||
| 2018-01-24 | CVE-2018-1048 | It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files. | Jboss_enterprise_application_platform | 7.5 | ||
| 2020-01-23 | CVE-2019-14885 | A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information. | Jboss_enterprise_application_platform, Single_sign\-On | 4.3 | ||
| 2021-05-27 | CVE-2020-10688 | A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. | Fuse, Jboss_enterprise_application_platform, Openshift_application_runtimes, Resteasy | 6.1 | ||
| 2021-03-23 | CVE-2019-19343 | A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting 5.0.14.SP1 are believed to be vulnerable. | Active_iq_unified_manager, Jboss\-Remoting, Jboss_enterprise_application_platform, Undertow | 7.5 | ||
| 2020-01-23 | CVE-2019-14888 | A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. | Active_iq_unified_manager, Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Single_sign\-On, Undertow | 7.5 | ||
| 2020-06-10 | CVE-2020-10705 | A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service. | Oncommand_insight, Jboss_enterprise_application_platform, Openshift_application_runtimes, Undertow | 7.5 | ||
| 2019-07-25 | CVE-2019-10184 | undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. | Active_iq_unified_manager, Jboss_data_grid, Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On, Undertow | 7.5 |