Remote Code Execution (RCE)

jboss-seam2 is vulnerable to remote code execution RCE attacks. The vulnerability exists as org.jboss.seam.web.AuthenticationFilter in Red Hat JBoss Web Framework Kit 2.5.0, JBoss Enterprise Application Platform JBEAP 5.2.0, and JBoss Enterprise Web Platform JBEWP 5.2.0 allows remote attackers to...

Input validation

PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform JBEAP 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the application sever configuration and state by deploying a crafted application...

CVE-2014-0005

PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform JBEAP 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the application sever configuration and state by deploying a crafted application...

CVE-2014-3530

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform JBEAP 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact vi...

CVE-2014-3530

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform JBEAP 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact vi...

CVE-2014-0093

Red Hat JBoss Enterprise Application Platform JBEAP 6.2.2, when using a Java Security Manager JSM, does not properly apply permissions defined by a policy file, which causes applications to be granted the java.security.AllPermission permission and allows remote attackers to bypass intended access...

CVE-2014-0093

CVE-2014-0093 affects Red Hat JBoss EAP 6.2.2 when running under a Java Security Manager, where permissions defined by a policy file are not properly applied, causing deployed applications to receive java.security.AllPermission and potentially bypass access restrictions. The issue is documented a...

CVE-2014-0018

Red Hat JBoss Enterprise Application Platform JBEAP 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container MSC service registry, which allows local users to modify the server via a crafted deployment...

Design/Logic Flaw

Red Hat JBoss Enterprise Application Platform JBEAP 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container MSC service registry, which allows local users to modify the server via a crafted deployment...

CVE-2014-0018

Red Hat JBoss Enterprise Application Platform JBEAP 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container MSC service registry, which allows local users to modify the server via a crafted deployment...

RHEL 4 : JBoss EAP (RHSA-2009:1146)

Updated JBoss Enterprise Application Platform JBEAP 4.3 packages that fix various issues are now available for Red Hat Enterprise Linux 4 as JBEAP 4.3.0.CP05. This update has been rated as having important security impact by the Red Hat Security Response Team. JBoss Enterprise Application Platfor...

RHEL 4 : JBoss EAP (RHSA-2010:0377)

Updated JBoss Enterprise Application Platform JBEAP 4.3 packages that fix three security issues and multiple bugs are now available for Red Hat Enterprise Linux 4 as JBEAP 4.3.0.CP08. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability...

RHEL 4 : JBoss EAP (RHSA-2008:0833)

Updated JBoss Enterprise Application Platform JBEAP 4.2 packages that fix various security issues are now available for Red Hat Enterprise Linux 4 as JBEAP 4.2.0.CP04. This update has been rated as having low security impact by the Red Hat Security Response Team. JBoss Enterprise Application...

RHEL 5 : JBoss EAP (RHSA-2008:0213)

New JBoss Enterprise Application Platform JBEAP packages, comprising the 4.2.0.CP02 release, are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. JBEAP is a middleware platform for Java 2 Platform,...

RHEL 4 : JBoss EAP (RHSA-2008:0831)

Updated JBoss Enterprise Application Platform JBEAP 4.3 packages that fix various security issues are now available for Red Hat Enterprise Linux 4 as JBEAP 4.3.0.CP02. This update has been rated as having low security impact by the Red Hat Security Response Team. JBoss Enterprise Application...

CVE-2012-4549

CVE-2012-4549 affects JBoss EAP/JBoss EAP Platform (JBoss EAP/JBEAP) prior to 6.0.1. The processInvocation() function in org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes all EJB method invocations when the allowed-roles list is empty, bypassing access controls. Red Hat/J...

CVE-2010-4265

CVE-2010-4265 affects JBoss Remoting BisocketServerInvoker in JBoss EAP/JBEAP 4.3.x (through 4.3.0.CP09) and 2.2.x (before 2.2.3.SP4) and 2.5.x (before 2.5.3.SP2). The vulnerability arises in BisocketServerInvoker$SecondaryServerSocketThread.run, enabling remote DoS by establishing a bisocket con...

CVE-2010-3708

CVE-2010-3708 affects Red Hat JBoss Enterprise Application Platform (JBEAP) 4.3.x (prior to 4.3.0.CP09) and JBoss SOA Platform 4.2/4.3, where the Drools serialization embeds class files, enabling remote code execution via a crafted static initializer. The vulnerability is rooted in the serializat...

CVE-2010-0738

CVE-2010-0738 affects JBoss AS/JBoss EAP 4.2.x before 4.2.0.CP09 and 4.3.x before 4.3.0.CP08. The JMX-Console performs access control only for GET/POST, allowing remote attackers to send requests via a different method to reach the GET handler. Impact described as an authentication/authorization ...

CVE-2009-1380

CVE-2009-1380 is an XSS in JBoss JMX-Console (JBoss EAP/JBEAP). Affected: JBoss EAP 4.2 before 4.2.0.CP08 and 4.3 before 4.3.0.CP07. Root cause: improper handling of the filter parameter (quotes/colon) in the JMX Console, enabling injection of arbitrary script/HTML. Impact: remote attacker could ...