Lucene search
+L
RedhatWildfly

18 matches found

CVE
CVE
added 2021/05/20 12:15 p.m.281 views

CVE-2021-3536

CVE-2021-3536 concerns WildFly/JBoss EAP domain-mode admin console vulnerability allowing XSS via the name field when creating roles, affecting Confidentiality and Integrity. Affected software is WildFly (prior to 23.0.2.Final). The issue arises in the domain mode role-creation flow and can be tr...

4.8CVSS5AI score0.00528EPSS
CVE
CVE
added 2020/06/22 5:39 p.m.274 views

CVE-2020-10740

CVE-2020-10740 affects WildFly (Enterprise Java Beans) with a remote deserialization vulnerability caused by insufficient validation/filtering in WildFly prior to 20.0.0.Final. The issue is referenced in Red Hat/JBoss advisories (e.g., RHSA-2025:9582) as a fixed item for WildFly/EAP 7.x deploymen...

7.5CVSS7.2AI score0.0172EPSS
CVE
CVE
added 2020/10/30 12:0 a.m.176 views

CVE-2020-25689

CVE-2020-25689 : In WildFly, all versions up to 21.0.0.Final exhibit a memory-leak in the host-controller when reconnection attempts loop, causing new connections to be created but not properly closed. This can trigger an Out of Memory (OOM) condition and denial of service, primarily affecting av...

6.8CVSS6.1AI score0.01481EPSS
CVE
CVE
added 2022/05/10 8:20 p.m.166 views

CVE-2022-0866

CVE-2022-0866 describes a concurrency issue in the EJB session context for RunAs-enabled components (EJBComponent) in JBoss/WildFly Elytron. The incomingRunAsIdentity field, currently a SecurityIdentity, can be concurrently accessed, causing getCallerPrincipal and isCallerInRole to return the wro...

5.3CVSS5.3AI score0.00842EPSS
CVE
CVE
added 2022/08/26 3:25 p.m.165 views

CVE-2021-3644

CVE-2021-3644 affects WildFly Core: all versions contain a vault expression handling flaw where a single attribute with multiple expressions could allow a user with management-access to access vault items they should not access, impacting confidentiality and integrity. Root cause: Invalid Sensiti...

3.3CVSS3.7AI score0.00761EPSS
CVE
CVE
added 2022/09/13 1:38 p.m.158 views

CVE-2022-1278

Summary: CVE-2022-1278 affects WildFly and relates to information disclosure via the trace payload, allowing an attacker to view deployment names, endpoints, and other data contained in traces. What is affected: WildFly stack (as referenced across CVE listings and Red Hat advisories) with exposur...

7.5CVSS7.3AI score0.00749EPSS
CVE
CVE
added 2020/09/16 6:6 p.m.151 views

CVE-2020-10718

The CVE-2020-10718 entry concerns WildFly prior to wildfly-embedded-13.0.0.Final, where the embedded managed process API publicly exposes the Thread Context ClassLoader (TCCL) setting. This exposure can bypass the security manager, with confidentiality identified as the highest threat. Public ref...

7.5CVSS7.2AI score0.01435EPSS
CVE
CVE
added 2020/03/16 2:48 p.m.148 views

CVE-2019-14887

CVE-2019-14887 affects WildFly when using the OpenSSL security provider: the configured enabled-protocols setting is not honored, allowing downgrading TLS for traffic and potentially leaking data. Affected WildFly releases include 7.2.0.GA, 7.2.3.GA, and 7.2.5.CR2. The issue is referenced in Red ...

9.1CVSS8.7AI score0.01068EPSS
CVE
CVE
added 2021/06/07 4:23 p.m.143 views

CVE-2020-1719

CVE-2020-1719 affects WildFly where the EJBContext principle is not popped back after invoking another EJB with a different Security Domain. This can impact data confidentiality and integrity. The vulnerability is stated to affect versions before WildFly 20.0.0.Final. The provided connected docum...

5.5CVSS5.4AI score0.00575EPSS
CVE
CVE
added 2025/01/30 2:30 p.m.140 views

CVE-2025-23367

The CVE-2025-23367 issue affects WildFly’s Server RBAC provider: Suspend and Resume handlers fail to perform authorization checks, allowing a user with Monitor/Auditor roles to suspend or resume the server. The vulnerability is tied to WildFly core/WildFly-server components and is acknowledged in...

6.5CVSS6.2AI score0.00648EPSS
CVE
CVE
added 2020/12/08 12:7 a.m.132 views

CVE-2020-27822

CVE-2020-27822 affects WildFly versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. The underlying issue is a memory leak when applications use the OpenTracing API’s java-interceptors, with availability as the highest impact. NVD lists CVSSv3.1: 5.9 (Medium) and CVSS...

7.1CVSS5.5AI score0.01109EPSS
CVE
CVE
added 2019/05/03 7:25 p.m.130 views

CVE-2019-3805

CVE-2019-3805 concerns a race-condition in WildFly/JBoss EAP related to the PID file in /var/run/jboss-eap/ that could let a local attacker terminate arbitrary processes as root via the init.d script. Affected product line includes WildFly and JBoss EAP CD/EA. The underlying issue allows local us...

5.5CVSS4.7AI score0.0019EPSS
CVE
CVE
added 2020/11/24 7:0 p.m.124 views

CVE-2020-25640

CVE-2020-25640 affects WildFly prior to 21.0.0.Final. The issue is that the Resource Adapter logs the JMS password in plaintext at warning level on connection errors, potentially exposing credentials in log files. The provided connected documents confirm the vulnerable component and the leakage c...

5.3CVSS5.2AI score0.01331EPSS
CVE
CVE
added 2019/05/03 7:25 p.m.107 views

CVE-2019-3894

Affected software: WildFly Elytron subsystem. Vulnerable component: ElytronManagedThread that stores a SecurityIdentity for the thread. Root cause: threads may not terminate after keep-alive time, enabling a shared thread to run with the wrong security identity. Impact: potential confidentiality,...

8.8CVSS8.4AI score0.01509EPSS
CVE
CVE
added 2022/04/18 4:20 p.m.103 views

CVE-2021-3503

This CVE (CVE-2021-3503) concerns WildFly where insufficient RBAC restrictions may allow exposure of metrics data, affecting confidentiality. Affected software is WildFly; the root cause is RBAC misconfiguration that enables unauthorized access to metrics. Publicly documented impacts indicate pot...

4.3CVSS4.3AI score0.01046EPSS
CVE
CVE
added 2018/09/04 12:0 p.m.93 views

CVE-2018-14627

The CVE-2018-14627 entry concerns WildFly’s IIOP OpenJDK Subsystem: earlier WildFly releases before 14.0.0 do not honor the SSL transport confidentiality configuration (confidentiality="required"), allowing clients to establish plaintext connections when SSL is required. Connected advisories (RHS...

5.9CVSS5.3AI score0.01112EPSS
CVE
CVE
added 2021/06/02 11:27 a.m.67 views

CVE-2020-14317

CVE-2020-14317 relates to a regression of CVE-2019-3805 in Red Hat JBoss EAP Continuous Delivery (EAP-CD). The connected documents state that a race/logic flaw around the PID file (/var/run/jboss-eap/) can allow a local attacker to modify the PID file, enabling the init.d script to terminate any ...

5.5CVSS4.5AI score0.00192EPSS
Web
CVE
CVE
added 2018/05/09 8:0 a.m.62 views

CVE-2018-10683

WildFly 10.1.2.Final may allow unauthenticated access when installed with no security realm reference. The issue is described as a bypass of authentication on default setups, with vendor notes that such unsecured configurations can have valid development use cases. Red Hat entries mark this as di...

9.8CVSS9.4AI score0.01783EPSS