RSS   Vulnerabilities for
'Jboss enterprise application platform'
   RSS

2018-05-22
 
CVE-2016-8656

CWE-264
 

 
Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.

 
2018-05-21
 
CVE-2018-1067

CWE-113
 

 
In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.

 
2018-05-11
 
CVE-2016-8627

CWE-400
 

 
admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP feature to download server log files that allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files consuming enough resources that normal server functioning could be impaired.

 
2018-04-17
 
CVE-2017-12196

CWE-285
 

 
undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.

 
2018-03-20
 
CVE-2018-8088

CWE-502
 

 
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.

 
2018-03-09
 
CVE-2016-9585

CWE-502
 

 
Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack.

 
2018-03-07
 
CVE-2017-12174

CWE-400
 

 
It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full GC, or OutOfMemoryError.

 
2018-02-15
 
CVE-2018-1041

CWE-399
 

 
A vulnerability was found in the way RemoteMessageChannel, introduced in jboss-remoting versions 3.3.10, reads from an empty buffer. An attacker could use this flaw to cause denial of service via high CPU caused by an infinite loop.

 
2018-01-24
 
CVE-2018-1048

CWE-22
 

 
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.

 
2018-01-10
 
CVE-2017-12189

CWE-264
 

 
It was discovered that the jboss init script as used in Red Hat JBoss Enterprise Application Platform 7.0.7.GA performed unsafe file handling which could result in local privilege escalation. This issue is a result of an incomplete fix for CVE-2016-8656.

 


Copyright 2018, cxsecurity.com

 

Back to Top