21 matches found
CVE-2023-4586
CVE-2023-4586 (Hot Rod client) is described as a vulnerability where the Hot Rod client does not enable hostname validation when using TLS, which could enable a man-in-the-middle (MITM) attack and compromise the confidentiality of communications. The connected materials reaffirm the same issue an...
CVE-2024-7885
CVE-2024-7885 affects Undertow's ProxyProtocolReadListener, where parseProxyProtocolV1 reuses a single StringBuilder across multiple requests, potentially leaking data between requests on the same HTTP connection and, in multi-request environments, exposing previous values. The connected Red Hat ...
CVE-2015-7501
CVE-2015-7501 involves a deserialization flaw in Apache Commons Collections that affects Red Hat JBoss Middleware stack (A-MQ 6.x; BPMS 6.x; BRMS 5.x/6.x; JDG 6.x/5.x; JDV 6.x/5.x; AEP 6.x; Fuse 6.x; FSW 6.x; JBoss ON 3.x; Portal 6.x; SOA-P 5.x; JWS 3.x; OpenShift/xPaaS 3.x; Subscription Asset Ma...
CVE-2021-3536
CVE-2021-3536 concerns WildFly/JBoss EAP domain-mode admin console vulnerability allowing XSS via the name field when creating roles, affecting Confidentiality and Integrity. Affected software is WildFly (prior to 23.0.2.Final). The issue arises in the domain mode role-creation flow and can be tr...
CVE-2021-3642
CVE-2021-3642 describes a timing-attack vulnerability in Wildfly Elytron’s ScramServer, affecting versions prior to 1.10.14.Final, 1.15.5.Final, and 1.16.1.Final. The highest impact is confidentiality; no exploitation details are provided in the documents. Connected advisories (e.g., Red Hat RHSA...
CVE-2020-25644
CVE-2020-25644 is a memory‑leak vulnerability in WildFly OpenSSL (WildFly OpenSSL natives) prior to 1.1.3.Final. The flaw causes a memory leak per HTTP session creation, which can lead to Out-Of-Memory and a denial of service, predominantly affecting availability. Affected component/file: WildFly...
CVE-2019-14838
The CVE-2019-14838 entry concerns WildFly (wildfly-core) prior to 7.2.5.GA, where Management users bearing Monitor, Auditor, or Deployer roles could modify the server’s runtime state due to an authorization misconfiguration. The issue is tied to WildFly/JBoss components, with multiple advisories ...
CVE-2023-5236
Summary (based on provided sources): CVE-2023-5236 affects Infinispan and is caused by failing to detect circular object references during unmarshalling, enabling a remote-authenticated attacker to insert a crafted object into the cache to trigger out-of-memory conditions and a denial of service....
CVE-2025-23368
CVE-2025-23368 relates to the Wildfly Elytron integration exposing a brute-force risk for CLI authentication. Red Hat’s advisory RHSA-2026:18059 (and CVE-2025-23368‑specific RHSA-2026:18059-CVE-2025-23368) fixes this in Red Hat JBoss Enterprise Application Platform 8.1.6 and WildFly Core updates....
CVE-2025-12543
Undertow core in WildFly/JBoss EAP is affected by CVE-2025-12543 due to improper validation of the Host header in HTTP requests. This can allow cache poisoning, internal network discovery, or user session hijacking. The CVSSv3.1 base score is 9.6 (CRITICAL) with network access, low attack complex...
CVE-2023-3628
CVE-2023-3628 affects Infinispan REST: bulk read endpoints fail to properly enforce user permissions, potentially allowing an authenticated user to access data outside their intended scope. The condition is documented across multiple sources (GHSA-FHR7-8JX4-R9CP, NVD/NVD-linked CVE, and Red Hat a...
CVE-2023-3629
CVE-2023-3629 concerns Infinispan REST: cache retrieval endpoints fail to properly enforce admin permissions, potentially allowing an authenticated user to access data outside their intended permissions. The description in multiple sources confirms an information exposure risk without admin autho...
CVE-2023-5384
CVE-2023-5384 affects Infinispan: when serializing a cache configuration to XML/JSON/YAML that contains credentials (e.g., JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration. This exposes sensitive data if the configuration i...
CVE-2020-25711
CVE-2020-25711 affects Infinispan 10 REST API where authorization checks are not performed for certain server-management operations. When authz is enabled, any authenticated user can perform actions such as shutting down the server without the ADMIN role, enabling an authorization-check bypass. T...
CVE-2020-10771
The CVE-2020-10771 entry describes a CSRF vulnerability in Infinispan 10: REST endpoints can be exploited via GET requests to perform actions with side effects. This is documented in the NVD entry and mirrored in Red Hat advisories (RHSA) tying the issue to Infinispan REST GET-action handling. Im...
CVE-2026-28369
Undertow contains a vulnerability where the first HTTP header line with leading spaces is stripped, violating HTTP standards and enabling request smuggling. Affected component: Undertow HTTP header parsing. Root cause: improper handling that trims leading spaces on the initial header line. Impact...
CVE-2021-31917
CVE-2021-31917: Affects Red Hat Data Grid 8.x (8.0.0, 8.0.1, 8.1.0, 8.1.1) and Infinispan (10.0.0–12.0.0). Root cause is an authentication bypass on all REST endpoints when Digest authentication is used, exposing data confidentiality, integrity, and availability risks. Remediation in Red Hat advi...
CVE-2026-28367
Undertow contains a flaw that allows HTTP request smuggling by sending a header terminator of \r\r\r. A remote attacker could exploit this against certain proxies (e.g., older Apache Traffic Server, Google Cloud Classic Application Load Balancer) to cause unauthorized access or manipulation of we...
CVE-2025-5731
Summary: CVE-2025-5731 affects the Infinispan CLI, where a credential decoded from a Kubernetes secret is handled in plaintext and can appear in a command string, potentially leaking data in an error message when a command is not found. Root cause: insecure processing/embedding of the decoded sec...
CVE-2026-28368
A vulnerability (CVE-2026-28368) affects Undertow and involves a discrepancy in header parsing between Undertow and upstream proxies, enabling HTTP request smuggling. Reported across multiple sources (NVD, Debian/Ubuntu OSV, Circl, GitHub advisories, and Nessus plugin) with confirmed references t...
CVE-2026-3260
CVE-2026-3260 affects Undertow and enables Denial of Service via premature multipart/form-data parsing when a GET request with multipart/form-data is processed (e.g., via getParameterMap). The issue is caused by content being parsed and stored to disk during parameter handling, leading to resourc...