Lucene search
K
RedhatProcess Automation

24 matches found

CVE
CVE
added 2023/10/10 12:0 a.m.5292 views

CVE-2023-44487

CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...

7.5CVSS8AI score0.99999EPSS
In wildWeb
CVE
CVE
added 2023/09/14 2:48 p.m.2734 views

CVE-2023-1108

CVE-2023-1108 affects Undertow within Red Hat JBoss EAP 7.3.x (SSLConduit) where an infinite loop on close can cause DoS. Connected RHSA-2025-9583 confirms the issue and indicates a fix in the eap-7.3.z line (Patched Undertow). Remediation is to upgrade to the patched EAP 7.3.x release (eap-7.3.z...

7.5CVSS7.3AI score0.01771EPSS
CVE
CVE
added 2021/12/14 12:0 a.m.1430 views

CVE-2021-4104

CVE-2021-4104 affects JMSAppender in Log4j 1.2 when it is explicitly configured to use JMSAppender. A deserialization of untrusted data can occur if an attacker can write Log4j configuration and supply TopicBindingName and TopicConnectionFactoryBindingName, causing JMSAppender to perform JNDI req...

7.5CVSS9.4AI score0.81147EPSS
In wildWeb
CVE
CVE
added 2024/08/21 2:13 p.m.368 views

CVE-2024-7885

CVE-2024-7885 affects Undertow's ProxyProtocolReadListener, where parseProxyProtocolV1 reuses a single StringBuilder across multiple requests, potentially leaking data between requests on the same HTTP connection and, in multi-request environments, exposing previous values. The connected Red Hat ...

7.5CVSS7.4AI score0.02644EPSS
CVE
CVE
added 2020/03/02 4:28 p.m.242 views

CVE-2019-14892

CVE-2019-14892 — In jackson-databind, polymorphic deserialization can be exploited via JNDI gadgets (commons-configuration 1/2) to achieve remote code execution. Affected: jackson-databind versions before 2.9.10, 2.8.11.5, and 2.6.7.3. Remediation: upgrade to a fixed jackson-databind release (e.g...

9.8CVSS9.4AI score0.0544EPSS
CVE
CVE
added 2021/03/16 9:0 p.m.239 views

CVE-2021-20218

The CVE refers to fabric8 kubernetes-client vulnerability affecting version 4.2.0 and later, where a malicious pod/container can abuse the client’s copy command to extract files outside the working path, impacting integrity and availability. Fixed in kubernetes-client releases 4.13.2, 5.0.2, 4.11...

7.4CVSS7.2AI score0.01312EPSS
CVE
CVE
added 2023/09/11 8:20 p.m.229 views

CVE-2022-1415

CVE-2022-1415 corresponds to Drools core deserialization vulnerability. Affected component: KIE Drools (Drools core) where improper safeguards during data deserialization allow an authenticated attacker to craft serialized objects (gadgets) and execute arbitrary code on the server. Documented imp...

8.8CVSS8.3AI score0.01044EPSS
CVE
CVE
added 2021/08/05 8:48 p.m.216 views

CVE-2021-3642

CVE-2021-3642 describes a timing-attack vulnerability in Wildfly Elytron’s ScramServer, affecting versions prior to 1.10.14.Final, 1.15.5.Final, and 1.16.1.Final. The highest impact is confidentiality; no exploitation details are provided in the documents. Connected advisories (e.g., Red Hat RHSA...

5.3CVSS5.3AI score0.00846EPSS
CVE
CVE
added 2020/05/13 6:25 p.m.192 views

CVE-2020-1714

Keycloak before 11.0.0 contains usages of ObjectInputStream without type checks, allowing deserialization of arbitrary Java objects in a privileged context and potentially enabling remote code execution (CVE-2020-1714). References associate this CVE with Red Hat advisories noting Keycloak as the ...

8.8CVSS8.5AI score0.02604EPSS
CVE
CVE
added 2022/08/24 3:2 p.m.191 views

CVE-2021-4178

CVE-2021-4178 affects the Fabric8 Kubernetes client (versions 5.0.0-beta-1 and newer) due to unsafe YAML parsing in unmarshalYaml, enabling local, privileged code execution via a crafted YAML payload. The issue is confirmed across multiple sources (NVD/NVD-derived entry and Red Hat/Jenkins adviso...

6.7CVSS6.7AI score0.00309EPSS
CVE
CVE
added 2020/01/02 2:18 p.m.186 views

CVE-2019-14862

Knockout.js vulnerability (CVE-2019-14862). Affected: Knockout.js

6.1CVSS6.2AI score0.01988EPSS
CVE
CVE
added 2020/09/23 12:28 p.m.179 views

CVE-2020-10714

CVE-2020-10714 concerns WildFly Elytron prior to 1.11.3.Final. A flaw in FORM authentication with a session ID in the URL enables a session fixation attack, affecting confidentiality, integrity, and availability. The impact is stated in the sources as high (CVSS 3.1) with network access and user ...

7.5CVSS7.3AI score0.01454EPSS
CVE
CVE
added 2020/01/02 2:20 p.m.175 views

CVE-2019-14863

CVE-2019-14863 affects AngularJS: all versions before 1.5.0-beta.0 are vulnerable to cross-site scripting due to unvalidated data delivered with trusted dynamic content after escaping context. The CVE is referenced in multiple sources (e.g., Ubuntu USN-7958-1, IBM Security Bulletins). Impact is c...

7.1CVSS6.1AI score0.01382EPSS
CVE
CVE
added 2020/09/16 3:27 p.m.166 views

CVE-2020-1748

CVE-2020-1748 affects WildFly Elytron before 1.6.8.Final-redhat-00001. A flaw in the WildFlySecurityManager allows bypassing checks when using custom security managers, causing improper authorization and information exposure via unauthenticated access to secure resources. Connected advisories (GH...

7.5CVSS7.2AI score0.01438EPSS
CVE
CVE
added 2022/03/11 5:54 p.m.163 views

CVE-2022-0853

CVE-2022-0853 describes a memory leak in the JBoss client when UserTransaction is used repeatedly, leading to information leakage. The CVE is referenced in Red Hat advisories for Red Hat JBoss Enterprise Application Platform / Red Hat Single Sign-On 7.6.1 across RHEL7/8/9 contexts, with CVSS data...

7.5CVSS7.1AI score0.01429EPSS
CVE
CVE
added 2026/01/07 4:4 p.m.150 views

CVE-2025-12543

Undertow core in WildFly/JBoss EAP is affected by CVE-2025-12543 due to improper validation of the Host header in HTTP requests. This can allow cache poisoning, internal network discovery, or user session hijacking. The CVSSv3.1 base score is 9.6 (CRITICAL) with network access, low attack complex...

9.6CVSS6.2AI score0.01179EPSS
CVE
CVE
added 2026/03/27 4:13 p.m.88 views

CVE-2026-28369

Undertow contains a vulnerability where the first HTTP header line with leading spaces is stripped, violating HTTP standards and enabling request smuggling. Affected component: Undertow HTTP header parsing. Root cause: improper handling that trims leading spaces on the initial header line. Impact...

9.1CVSS5.9AI score0.00677EPSS
CVE
CVE
added 2021/06/01 1:38 p.m.79 views

CVE-2021-20306

CVE-2021-20306 affects the jBPM BPMN editor (version 7.51.0.Final). The vulnerability allows any authenticated user from any project to see the names of Ruleflow Groups in other projects, exposing project confidentiality. The issue is rooted in cross-project visibility within the BPMN editor; no ...

4.3CVSS4.3AI score0.00655EPSS
CVE
CVE
added 2025/09/02 1:37 p.m.74 views

CVE-2025-9784

CVE-2025-9784 (MadeYouReset) is a Denial of Service flaw in Undertow where malformed client requests trigger server-side stream resets, allowing high resource load via HTTP/2. The Red Hat/IBM advisory ties the affected product to IBM InfoSphere Information Server (11.7.x) using Undertow; affected...

7.5CVSS5.9AI score0.0217EPSS
CVE
CVE
added 2022/04/01 10:17 p.m.71 views

CVE-2019-14839

CVE-2019-14839 affects the Business-central login flow. Multiple connected sources describe that during login to the Business-central console, an HTTP request can disclose sensitive information such as usernames and passwords if intercepted with tools like Burp Suite. NVD data assigns CVSS-3.1 wi...

7.5CVSS7.5AI score0.0098EPSS
CVE
CVE
added 2022/10/17 12:0 a.m.71 views

CVE-2019-14841

CVE-2019-14841 affects Red Hat Decision Manager (RHDM) . An authenticated attacker can mutate their role in the HTTP response header, enabling escalation to admin privileges in the Business Central Console . Root cause: improper handling of role assignment in header processing within RHDM. Impact...

8.8CVSS8.6AI score0.00617EPSS
CVE
CVE
added 2026/03/27 4:13 p.m.65 views

CVE-2026-28367

Undertow contains a flaw that allows HTTP request smuggling by sending a header terminator of \r\r\r. A remote attacker could exploit this against certain proxies (e.g., older Apache Traffic Server, Google Cloud Classic Application Load Balancer) to cause unauthorized access or manipulation of we...

9.1CVSS5.8AI score0.00706EPSS
CVE
CVE
added 2026/03/27 4:13 p.m.39 views

CVE-2026-28368

A vulnerability (CVE-2026-28368) affects Undertow and involves a discrepancy in header parsing between Undertow and upstream proxies, enabling HTTP request smuggling. Reported across multiple sources (NVD, Debian/Ubuntu OSV, Circl, GitHub advisories, and Nessus plugin) with confirmed references t...

9.1CVSS5.9AI score0.00704EPSS
CVE
CVE
added 2026/03/24 4:11 a.m.28 views

CVE-2026-3260

CVE-2026-3260 affects Undertow and enables Denial of Service via premature multipart/form-data parsing when a GET request with multipart/form-data is processed (e.g., via getParameterMap). The issue is caused by content being parsed and stored to disk during parameter handling, leading to resourc...

7.5CVSS5.8AI score0.00441EPSS