Jboss Enterprise Application Platform Security Vulnerabilities and Issues — Jboss Enterprise Application Platform CVE List

Lucene search

RedhatJboss Enterprise Application Platform

11 matches found

CVE•added 2023/10/10 2:15 p.m.•4420 views

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

7.5CVSS8AI score0.94434EPSS

CVE•added 2023/12/18 4:15 p.m.•3815 views

CVE-2023-48795

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connecti...

5.9CVSS6.7AI score0.70714EPSS

CVE•added 2023/09/14 3:15 p.m.•2602 views

CVE-2023-1108

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

7.5CVSS7.3AI score0.0481EPSS

CVE•added 2023/09/27 3:18 p.m.•559 views

CVE-2023-3223

A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass...

7.5CVSS7.3AI score0.00767EPSS

CVE•added 2023/12/12 10:15 p.m.•188 views

CVE-2023-5379

A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluste...

7.5CVSS7.3AI score0.00128EPSS

CVE•added 2023/11/08 1:15 a.m.•177 views

CVE-2023-4061

A flaw was found in wildfly-core. A management user could use the resolve-expression in the HAL Interface to read possible sensitive information from the Wildfly system. This issue could allow a malicious user to access the system and obtain possible sensitive information from the system.

6.5CVSS6.5AI score0.00197EPSS

CVE•added 2023/12/27 4:15 p.m.•150 views

CVE-2023-3171

A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in ...

7.5CVSS7.4AI score0.00171EPSS

CVE•added 2023/02/23 8:15 p.m.•138 views

CVE-2022-4492

The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol.

7.5CVSS7.3AI score0.00121EPSS

CVE•added 2023/01/13 6:15 a.m.•125 views

CVE-2022-3143

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. ...

7.4CVSS7AI score0.00229EPSS

CVE•added 2023/12/18 2:15 p.m.•106 views

CVE-2023-3629

A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

6.5CVSS5.3AI score0.00102EPSS

CVE•added 2023/12/18 2:15 p.m.•105 views

CVE-2023-3628

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

6.5CVSS6.4AI score0.00089EPSS