Jboss Data Grid@- Security Vulnerabilities and Issues — Jboss Data Grid@- CVE List

Lucene search

RedhatJboss Data Grid-

12 matches found

CVE•added 2019/06/12 2:29 p.m.•315 views

CVE-2019-3888

A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)

9.8CVSS9.1AI score0.00569EPSS

CVE•added 2019/07/25 9:15 p.m.•306 views

CVE-2019-10184

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

7.5CVSS7.2AI score0.01089EPSS

CVE•added 2019/11/08 3:15 p.m.•230 views

CVE-2019-10219

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

6.5CVSS6AI score0.01915EPSS

CVE•added 2020/03/02 5:15 p.m.•205 views

CVE-2019-14892

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

9.8CVSS9.4AI score0.00873EPSS

CVE•added 2019/10/02 7:15 p.m.•188 views

CVE-2019-10212

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

9.8CVSS9AI score0.00466EPSS

CVE•added 2020/01/23 5:15 p.m.•157 views

CVE-2019-14888

A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.

7.5CVSS7.2AI score0.00342EPSS

CVE•added 2020/09/16 3:15 p.m.•153 views

CVE-2020-1710

The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.

5.3CVSS4.9AI score0.00157EPSS

CVE•added 2019/11/25 11:15 a.m.•120 views

CVE-2019-10174

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the applicat...

8.8CVSS8.3AI score0.01073EPSS

CVE•added 2023/12/18 2:15 p.m.•119 views

CVE-2023-5236

A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.

6.5CVSS5.3AI score0.00122EPSS

CVE•added 2023/12/18 2:15 p.m.•106 views

CVE-2023-3629

A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

6.5CVSS5.3AI score0.00102EPSS

CVE•added 2023/12/18 2:15 p.m.•105 views

CVE-2023-3628

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

6.5CVSS6.4AI score0.00089EPSS

CVE•added 2023/12/18 2:15 p.m.•90 views

CVE-2023-5384

A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

7.2CVSS5.2AI score0.00165EPSS