Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Wildfly
(Redhat)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 16 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2018-05-09 | CVE-2018-10683 | An issue was discovered in WildFly 10.1.2.Final. In the case of a default installation without a security realm reference, an attacker can successfully access the server without authentication. NOTE: the Security Realms documentation in the product's Admin Guide indicates that "without a security realm reference" implies "effectively unsecured." The vendor explicitly supports these unsecured configurations because they have valid use cases during development | Wildfly | 9.8 | ||
| 2020-06-22 | CVE-2020-10740 | A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly. | Wildfly | 7.5 | ||
| 2020-11-24 | CVE-2020-25640 | A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file. | Wildfly | 5.3 | ||
| 2022-09-13 | CVE-2022-1278 | A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. | Amq, Amq_online, Integration_camel_k, Integration_service_registry, Jboss_a\-Mq, Jboss_enterprise_application_platform_expansion_pack, Single_sign\-On, Wildfly | 7.5 | ||
| 2020-11-02 | CVE-2020-25689 | A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. | Active_iq_unified_manager, Oncommand_insight, Service_level_manager, Fuse, Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Wildfly | 6.5 | ||
| 2022-04-18 | CVE-2021-3503 | A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality. | Wildfly | 4.3 | ||
| 2022-08-26 | CVE-2021-3644 | A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity. | Descision_manager, Wildfly | 3.3 | ||
| 2022-05-10 | CVE-2022-0866 | This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the... | Jboss_enterprise_application_platform, Openstack_platform, Wildfly | 5.3 | ||
| 2020-03-16 | CVE-2019-14887 | A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. | Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Wildfly | 9.1 | ||
| 2021-06-07 | CVE-2020-1719 | A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected. | Wildfly | 5.4 |