Jboss A Mq
Monthly
A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Epss exploitation probability 72.2% and no vendor patch available.
A flaw was found in the AMQ Broker that discloses JDBC encrypted usernames and passwords when provided in the AMQ Broker application logfile when using the jdbc persistence functionality. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 71.5%.
Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The JBoss console in A-MQ allows remote attackers to execute arbitrary JavaScript. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.
Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBoss A-MQ 6.0.0 before patch 3 allow remote attackers to inject. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.
A flaw was found in Red Hat's AMQ Broker, which stores certain passwords in a secret security-properties-prop-module, defined in ActivemqArtemisSecurity CR; however, they are shown in plaintext in. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in Red Hat AMQ Broker Operator, where it displayed a password defined in ActiveMQArtemisAddress CR, shown in plain text in the Operator Log. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Epss exploitation probability 72.2% and no vendor patch available.
A flaw was found in the AMQ Broker that discloses JDBC encrypted usernames and passwords when provided in the AMQ Broker application logfile when using the jdbc persistence functionality. Rated medium severity (CVSS 4.4), this vulnerability is low attack complexity. No vendor patch available.
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 71.5%.
Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The JBoss console in A-MQ allows remote attackers to execute arbitrary JavaScript. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity.
Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBoss A-MQ 6.0.0 before patch 3 allow remote attackers to inject. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available.