Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Openshift_application_runtimes
(Redhat)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 33 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-05-13 | CVE-2020-1714 | A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. | Quarkus, Decision_manager, Jboss_fuse, Keycloak, Openshift_application_runtimes, Process_automation, Single_sign\-On | 8.8 | ||
| 2020-07-24 | CVE-2020-14297 | A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable. | Amq, Jboss\-Ejb\-Client, Jboss_enterprise_application_platform_continuous_delivery, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On | 6.5 | ||
| 2020-07-24 | CVE-2020-14307 | A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable. | Amq, Jboss_enterprise_application_platform_continuous_delivery, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On | 6.5 | ||
| 2020-09-16 | CVE-2020-1710 | The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400. | Jboss_data_grid, Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On | 5.3 | ||
| 2020-10-06 | CVE-2020-25644 | A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability. | Oncommand_insight, Oncommand_workflow_automation, Service_level_manager, Data_grid, Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Wildfly_openssl | 7.5 | ||
| 2020-10-16 | CVE-2020-14299 | A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. This flaw allows an attacker to perform a complete authentication bypass by using an arbitrary user and password. The highest threat to vulnerability is to system availability. | Jboss_enterprise_application_platform, Openshift_application_runtimes, Single_sign\-On | 6.5 | ||
| 2020-11-02 | CVE-2020-25689 | A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. | Active_iq_unified_manager, Oncommand_insight, Service_level_manager, Fuse, Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Wildfly | 6.5 | ||
| 2021-02-11 | CVE-2020-1717 | A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. | Jboss_fuse, Keycloak, Openshift_application_runtimes, Single_sign\-On | 2.7 | ||
| 2021-02-23 | CVE-2020-27782 | A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1. | Jboss_fuse, Openshift_application_runtimes, Undertow | 7.5 | ||
| 2021-08-05 | CVE-2021-3642 | A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. | Quarkus, Build_of_quarkus, Codeready_studio, Data_grid, Descision_manager, Integration_camel_k, Integration_camel_quarkus, Jboss_enterprise_application_platform, Jboss_enterprise_application_platform_expansion_pack, Jboss_fuse, Openshift_application_runtimes, Process_automation, Wildfly_elytron | 5.3 |