18 matches found
CVE-2021-3536
CVE-2021-3536 concerns WildFly/JBoss EAP domain-mode admin console vulnerability allowing XSS via the name field when creating roles, affecting Confidentiality and Integrity. Affected software is WildFly (prior to 23.0.2.Final). The issue arises in the domain mode role-creation flow and can be tr...
CVE-2020-10740
CVE-2020-10740 affects WildFly (Enterprise Java Beans) with a remote deserialization vulnerability caused by insufficient validation/filtering in WildFly prior to 20.0.0.Final. The issue is referenced in Red Hat/JBoss advisories (e.g., RHSA-2025:9582) as a fixed item for WildFly/EAP 7.x deploymen...
CVE-2020-25689
CVE-2020-25689 : In WildFly, all versions up to 21.0.0.Final exhibit a memory-leak in the host-controller when reconnection attempts loop, causing new connections to be created but not properly closed. This can trigger an Out of Memory (OOM) condition and denial of service, primarily affecting av...
CVE-2022-0866
CVE-2022-0866 describes a concurrency issue in the EJB session context for RunAs-enabled components (EJBComponent) in JBoss/WildFly Elytron. The incomingRunAsIdentity field, currently a SecurityIdentity, can be concurrently accessed, causing getCallerPrincipal and isCallerInRole to return the wro...
CVE-2021-3644
CVE-2021-3644 affects WildFly Core: all versions contain a vault expression handling flaw where a single attribute with multiple expressions could allow a user with management-access to access vault items they should not access, impacting confidentiality and integrity. Root cause: Invalid Sensiti...
CVE-2022-1278
Summary: CVE-2022-1278 affects WildFly and relates to information disclosure via the trace payload, allowing an attacker to view deployment names, endpoints, and other data contained in traces. What is affected: WildFly stack (as referenced across CVE listings and Red Hat advisories) with exposur...
CVE-2020-10718
The CVE-2020-10718 entry concerns WildFly prior to wildfly-embedded-13.0.0.Final, where the embedded managed process API publicly exposes the Thread Context ClassLoader (TCCL) setting. This exposure can bypass the security manager, with confidentiality identified as the highest threat. Public ref...
CVE-2019-14887
CVE-2019-14887 affects WildFly when using the OpenSSL security provider: the configured enabled-protocols setting is not honored, allowing downgrading TLS for traffic and potentially leaking data. Affected WildFly releases include 7.2.0.GA, 7.2.3.GA, and 7.2.5.CR2. The issue is referenced in Red ...
CVE-2020-1719
CVE-2020-1719 affects WildFly where the EJBContext principle is not popped back after invoking another EJB with a different Security Domain. This can impact data confidentiality and integrity. The vulnerability is stated to affect versions before WildFly 20.0.0.Final. The provided connected docum...
CVE-2025-23367
The CVE-2025-23367 issue affects WildFly’s Server RBAC provider: Suspend and Resume handlers fail to perform authorization checks, allowing a user with Monitor/Auditor roles to suspend or resume the server. The vulnerability is tied to WildFly core/WildFly-server components and is acknowledged in...
CVE-2020-27822
CVE-2020-27822 affects WildFly versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. The underlying issue is a memory leak when applications use the OpenTracing API’s java-interceptors, with availability as the highest impact. NVD lists CVSSv3.1: 5.9 (Medium) and CVSS...
CVE-2019-3805
CVE-2019-3805 concerns a race-condition in WildFly/JBoss EAP related to the PID file in /var/run/jboss-eap/ that could let a local attacker terminate arbitrary processes as root via the init.d script. Affected product line includes WildFly and JBoss EAP CD/EA. The underlying issue allows local us...
CVE-2020-25640
CVE-2020-25640 affects WildFly prior to 21.0.0.Final. The issue is that the Resource Adapter logs the JMS password in plaintext at warning level on connection errors, potentially exposing credentials in log files. The provided connected documents confirm the vulnerable component and the leakage c...
CVE-2019-3894
Affected software: WildFly Elytron subsystem. Vulnerable component: ElytronManagedThread that stores a SecurityIdentity for the thread. Root cause: threads may not terminate after keep-alive time, enabling a shared thread to run with the wrong security identity. Impact: potential confidentiality,...
CVE-2021-3503
This CVE (CVE-2021-3503) concerns WildFly where insufficient RBAC restrictions may allow exposure of metrics data, affecting confidentiality. Affected software is WildFly; the root cause is RBAC misconfiguration that enables unauthorized access to metrics. Publicly documented impacts indicate pot...
CVE-2018-14627
The CVE-2018-14627 entry concerns WildFly’s IIOP OpenJDK Subsystem: earlier WildFly releases before 14.0.0 do not honor the SSL transport confidentiality configuration (confidentiality="required"), allowing clients to establish plaintext connections when SSL is required. Connected advisories (RHS...
CVE-2020-14317
CVE-2020-14317 relates to a regression of CVE-2019-3805 in Red Hat JBoss EAP Continuous Delivery (EAP-CD). The connected documents state that a race/logic flaw around the PID file (/var/run/jboss-eap/) can allow a local attacker to modify the PID file, enabling the init.d script to terminate any ...
CVE-2018-10683
WildFly 10.1.2.Final may allow unauthenticated access when installed with no security realm reference. The issue is described as a bypass of authentication on default setups, with vendor notes that such unsecured configurations can have valid development use cases. Red Hat entries mark this as di...