Jboss Enterprise Application Platform@- Security Vulnerabilities and Issues — Jboss Enterprise Application Platform@- CVE List

Lucene search

RedhatJboss Enterprise Application Platform-

23 matches found

CVE•added 2023/09/14 3:15 p.m.•2602 views

CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

7.5CVSS7.3AI score0.0481EPSS

CVE•added 2017/10/04 9:1 p.m.•1259 views

CVE-2017-12149

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via ...

9.8CVSS9.7AI score0.94313EPSS

CVE•added 2019/07/25 9:15 p.m.•306 views

CVE-2019-10184

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.

7.5CVSS7.2AI score0.01089EPSS

CVE•added 2022/05/24 7:15 p.m.•257 views

CVE-2021-3629

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and...

5.9CVSS6AI score0.00093EPSS

CVE•added 2022/08/23 4:15 p.m.•255 views

CVE-2021-3690

A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.

7.5CVSS7.1AI score0.00557EPSS

CVE•added 2019/11/08 3:15 p.m.•230 views

CVE-2019-10219

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

6.5CVSS6AI score0.01915EPSS

CVE•added 2020/07/06 7:15 p.m.•211 views

CVE-2019-14900

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unautho...

6.5CVSS6.7AI score0.01446EPSS

CVE•added 2020/05/26 4:15 p.m.•207 views

CVE-2020-10719

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.

6.5CVSS6AI score0.00167EPSS

CVE•added 2020/09/23 1:15 p.m.•193 views

CVE-2020-10687

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an attacker to poison a web-cache, perform an XSS at...

5.8CVSS5.4AI score0.02955EPSS

CVE•added 2022/05/24 7:15 p.m.•193 views

CVE-2021-3597

A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1...

5.9CVSS5.5AI score0.0017EPSS

CVE•added 2022/05/24 7:15 p.m.•193 views

CVE-2021-3717

A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfl...

7.8CVSS7.2AI score0.00029EPSS

CVE•added 2019/10/02 7:15 p.m.•188 views

CVE-2019-10212

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

9.8CVSS9AI score0.00466EPSS

CVE•added 2023/12/12 10:15 p.m.•188 views

CVE-2023-5379

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluste...

7.5CVSS7.3AI score0.00128EPSS

CVE•added 2023/11/08 1:15 a.m.•177 views

CVE-2023-4061

A flaw was found in wildfly-core. A management user could use the resolve-expression in the HAL Interface to read possible sensitive information from the Wildfly system. This issue could allow a malicious user to access the system and obtain possible sensitive information from the system.

6.5CVSS6.5AI score0.00197EPSS

CVE•added 2020/09/16 3:15 p.m.•153 views

CVE-2020-1710

The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.

5.3CVSS4.9AI score0.00157EPSS

CVE•added 2023/12/27 4:15 p.m.•150 views

CVE-2023-3171

A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in ...

7.5CVSS7.4AI score0.00171EPSS

CVE•added 2021/05/27 7:15 p.m.•137 views

CVE-2020-10688

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.

6.1CVSS5.7AI score0.00432EPSS

CVE•added 2020/06/10 8:15 p.m.•129 views

CVE-2020-10705

A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service.

7.5CVSS7.1AI score0.00384EPSS

CVE•added 2019/11/25 11:15 a.m.•120 views

CVE-2019-10174

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the applicat...

8.8CVSS8.3AI score0.01073EPSS

CVE•added 2024/02/06 9:15 a.m.•115 views

CVE-2023-4503

An improper initialization vulnerability was found in Galleon. When using Galleon to provision custom EAP or EAP-XP servers, the servers are created unsecured. This issue could allow an attacker to access remote HTTP services available from the server.

7.5CVSS7.2AI score0.00249EPSS

CVE•added 2024/04/25 5:15 p.m.•109 views

CVE-2024-1102

A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection.

6.5CVSS6.7AI score0.0011EPSS

CVE•added 2024/11/07 10:15 a.m.•66 views

CVE-2023-1932

A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-S...

6.1CVSS6.1AI score0.00144EPSS

CVE•added 2021/06/02 12:15 p.m.•51 views

CVE-2020-14317

It was found that the issue for security flaw CVE-2019-3805 appeared again in a further version of JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introducing regression. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script ...

5.5CVSS4.5AI score0.00042EPSS