Skip to main content

Jboss Enterprise Application Platform

152 CVEs product

Monthly

CVE-2026-3009 Maven HIGH PATCH This Week

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowing attackers with knowledge of an IdP alias to reuse previous login requests and authenticate through administratively disabled external providers. This authentication bypass affects any Keycloak deployment relying on IdP disablement as an access control mechanism. An attacker can exploit this to gain unauthorized access by circumventing intended administrative restrictions on external authentication sources.

Authentication Bypass Build Of Keycloak Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Single Sign On
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-12543 Maven CRITICAL PATCH Act Now

Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal network scanning, and session hijacking. Affects a widely-used Java application server component.

Java Information Disclosure Process Automation Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform +5
NVD VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-9784 Maven HIGH PATCH GHSA This Week

Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.

Denial Of Service Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform Fuse Single Sign On +4
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2025-5731 Maven MEDIUM PATCH This Month

A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found.

Information Disclosure Kubernetes Data Grid Infinispan Jboss Enterprise Application Platform +2
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-23368 Maven HIGH POC PATCH This Week

A flaw was found in Wildfly Elytron integration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Wildfly Core Data Grid Jboss Enterprise Application Platform
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-23367 Maven MEDIUM PATCH This Month

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jboss Enterprise Application Platform Wildfly Red Hat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2024-10234 HIGH This Week

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Build Of Keycloak Jboss Enterprise Application Platform
NVD
CVSS 3.1
7.3
EPSS
0.7%
CVE-2024-7885 Maven HIGH PATCH This Week

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Build Of Apache Camel Hawtio Build Of Apache Camel For Spring Boot Build Of Keycloak +6
NVD
CVSS 3.1
7.5
EPSS
2.6%
CVE-2024-1102 Maven MEDIUM POC PATCH This Month

A vulnerability was found in jberet-core logging. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jberet Jboss Enterprise Application Platform
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2024-1635 Maven HIGH PATCH This Week

A vulnerability was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Active Iq Unified Manager Oncommand Workflow Automation Fuse Integration Camel For Spring Boot +5
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2023-3171 HIGH This Week

A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Deserialization Jboss Enterprise Application Platform
NVD
CVSS 3.1
7.5
EPSS
0.9%
CVE-2023-48795 LIB MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js SSH Java +66
NVD GitHub
CVSS 3.1
5.9
EPSS
53.6%
Threat
4.3
CVE-2023-3629 Maven MEDIUM PATCH This Month

A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Data Grid Jboss Data Grid Jboss Enterprise Application Platform Infinispan
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-3628 Maven MEDIUM PATCH This Month

A flaw was found in Infinispan's REST. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jboss Data Grid Jboss Enterprise Application Platform Data Grid Infinispan
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-5379 HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jboss Enterprise Application Platform Single Sign On Undertow
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-4061 Maven MEDIUM PATCH This Month

A flaw was found in wildfly-core. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jboss Enterprise Application Platform Wildfly Core
NVD
CVSS 3.1
6.5
EPSS
0.8%
CVE-2023-3223 Maven HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Undertow Openshift Container Platform Openshift Container Platform For Ibm Linuxone Openshift Container Platform For Power +3
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2023-1108 Maven HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Decision Manager Fuse Integration Camel K +12
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2022-2764 MEDIUM This Month

A flaw was found in Undertow. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Integration Camel K Jboss Enterprise Application Platform Jboss Fuse Single Sign On +5
NVD
CVSS 3.1
4.9
EPSS
0.8%
CVE-2022-1259 HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Integration Camel K Jboss Enterprise Application Platform Openshift Application Runtimes +6
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-0866 MEDIUM This Month

This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jboss Enterprise Application Platform Openstack Platform Wildfly
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2022-0853 HIGH POC This Week

A flaw was found in JBoss-client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Descision Manager Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Process Automation +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-20318 HIGH This Week

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Jboss Enterprise Application Platform
NVD
CVSS 3.1
7.2
EPSS
1.7%
CVE-2021-4104 Maven HIGH Act Now

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Epss exploitation probability 72.2% and no vendor patch available.

RCE Deserialization Apache Log4J Fedora +44
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
72.2%
CVE-2021-32029 MEDIUM PATCH This Month

A flaw was found in postgresql. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PostgreSQL Information Disclosure Jboss Enterprise Application Platform
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2021-3642 Maven MEDIUM PATCH This Month

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Wildfly Elytron Build Of Quarkus Codeready Studio Data Grid +9
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2021-32027 HIGH PATCH This Week

A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

Integer Overflow PostgreSQL Information Disclosure Jboss Enterprise Application Platform Software Collections +1
NVD
CVSS 3.1
8.8
EPSS
2.0%
CVE-2021-3536 Maven MEDIUM PATCH This Month

A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Build Of Quarkus Data Grid Descision Manager Integration Camel K +5
NVD
CVSS 3.1
4.8
EPSS
0.5%
CVE-2020-25689 Maven MEDIUM POC PATCH This Month

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wildfly Fuse Jboss Data Grid Jboss Enterprise Application Platform +6
NVD
CVSS 3.1
6.5
EPSS
1.5%
CVE-2020-14299 MEDIUM This Month

A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jboss Enterprise Application Platform Openshift Application Runtimes Single Sign On
NVD
CVSS 3.1
6.5
EPSS
1.4%
CVE-2020-25644 Maven HIGH PATCH This Week

A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

OpenSSL Denial Of Service Wildfly Openssl Data Grid Jboss Data Grid +7
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2020-10687 Maven MEDIUM PATCH This Month

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS Request Smuggling Undertow Jboss Enterprise Application Platform Single Sign On
NVD
CVSS 3.1
4.8
EPSS
1.1%
CVE-2020-1710 MEDIUM This Month

The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jboss Data Grid Jboss Enterprise Application Platform Openshift Application Runtimes Single Sign On
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2020-14384 HIGH This Week

A flaw was found in JBossWeb in versions before 7.5.31.Final-redhat-3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Red Hat Jboss Enterprise Application Platform Jbossweb
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-10705 Maven HIGH PATCH This Week

A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Undertow Oncommand Insight Jboss Enterprise Application Platform Openshift Application Runtimes
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-10719 Maven MEDIUM PATCH This Month

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Undertow Oncommand Insight Fuse +5
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2020-10693 Maven MEDIUM PATCH This Month

A flaw was found in Hibernate Validator version 6.1.2.Final. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Hibernate Validator Websphere Application Server Jboss Enterprise Application Platform Satellite +3
NVD
CVSS 3.1
5.3
EPSS
2.3%
CVE-2020-1732 MEDIUM PATCH This Month

A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable.

Authentication Bypass Soteria Jboss Enterprise Application Platform Jboss Enterprise Application Platform Continuous Delivery Openshift Application Runtimes
NVD GitHub
CVSS 3.1
4.2
EPSS
0.7%
CVE-2020-1757 Maven HIGH PATCH This Week

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Undertow Jboss Data Grid Jboss Enterprise Application Platform Jboss Fuse +2
NVD
CVSS 3.1
8.1
EPSS
1.6%
CVE-2020-7238 Maven HIGH POC PATCH This Week

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Information Disclosure Netty Fedora Debian Linux +3
NVD GitHub
CVSS 3.1
7.5
EPSS
3.6%
CVE-2019-10174 Maven HIGH PATCH This Week

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Infinispan Fuse Jboss Data Grid Jboss Enterprise Application Platform +3
NVD
CVSS 3.1
8.8
EPSS
3.1%
CVE-2019-10172 Maven HIGH This Week

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jackson Mapper Asl Jboss Enterprise Application Platform Jboss Fuse Debian Linux +1
NVD
CVSS 3.1
7.5
EPSS
17.0%
CVE-2019-10219 Maven MEDIUM POC PATCH This Month

A vulnerability was found in Hibernate-Validator. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hibernate Validator Fuse Jboss Data Grid Jboss Enterprise Application Platform +184
NVD GitHub
CVSS 3.1
6.1
EPSS
2.2%
CVE-2019-0210 Go HIGH PATCH This Week

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Apache Information Disclosure Thrift Jboss Enterprise Application Platform +1
NVD
CVSS 3.1
7.5
EPSS
6.8%
CVE-2019-0205 Maven HIGH PATCH This Week

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Apache Thrift Jboss Enterprise Application Platform Communications Cloud Native Core Network Slice Selection Function
NVD
CVSS 3.1
7.5
EPSS
9.1%
CVE-2019-14838 Maven MEDIUM PATCH This Month

A flaw was found in wildfly-core before 7.2.5.GA. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Wildfly Core Jboss Enterprise Application Platform Single Sign On Data Grid
NVD
CVSS 3.1
4.9
EPSS
1.1%
CVE-2019-17531 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Debian Linux Jboss Enterprise Application Platform +19
NVD GitHub
CVSS 3.1
9.8
EPSS
5.3%
CVE-2019-17267 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager Oncommand Api Services Oncommand Workflow Automation +8
NVD GitHub
CVSS 3.1
9.8
EPSS
4.6%
CVE-2019-10212 Maven CRITICAL PATCH Act Now

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Undertow Jboss Data Grid Jboss Enterprise Application Platform Jboss Fuse +3
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2019-16943 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux Fedora Jboss Enterprise Application Platform +22
NVD GitHub
CVSS 3.1
9.8
EPSS
4.9%
CVE-2019-16942 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind Debian Linux Fedora +25
NVD GitHub
CVSS 3.1
9.8
EPSS
5.7%
CVE-2019-10202 Maven CRITICAL Act Now

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jboss Enterprise Application Platform
NVD
CVSS 3.1
9.8
EPSS
5.2%
CVE-2019-16869 Maven HIGH POC PATCH This Week

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Netty Debian Linux Ubuntu Linux +1
NVD GitHub
CVSS 3.1
7.5
EPSS
8.4%
CVE-2019-16335 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Fedora Debian Linux Oncommand Api Services +13
NVD GitHub
CVSS 3.1
9.8
EPSS
4.9%
CVE-2019-14540 Maven CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Oncommand Api Services Oncommand Workflow Automation Steelstore Cloud Integrated Storage +15
NVD GitHub
CVSS 3.1
9.8
EPSS
10.7%
CVE-2019-12400 Maven MEDIUM PATCH This Month

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Java Information Disclosure Apache Santuario Xml Security For Java Jboss Enterprise Application Platform +1
NVD
CVSS 3.1
5.5
EPSS
0.8%
CVE-2019-10086 Maven HIGH PATCH This Week

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java Apache Deserialization Commons Beanutils Nifi +58
NVD
CVSS 3.1
7.3
EPSS
28.8%
CVE-2019-9518 HIGH This Week

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server Ubuntu Linux Debian Linux +14
NVD GitHub
CVSS 3.1
7.5
EPSS
25.4%
CVE-2019-9517 HIGH PATCH This Week

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Swiftnio Http Server Traffic Server Ubuntu Linux +19
NVD GitHub
CVSS 3.1
7.5
EPSS
27.0%
CVE-2019-9516 MEDIUM This Month

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server Ubuntu Linux Debian Linux +15
NVD GitHub
CVSS 3.1
6.5
EPSS
56.3%
CVE-2019-9515 HIGH This Week

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server Ubuntu Linux Debian Linux +18
NVD GitHub
CVSS 3.1
7.5
EPSS
87.8%
CVE-2019-9514 Go HIGH PATCH This Week

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server Debian Linux Ubuntu Linux +24
NVD GitHub
CVSS 3.1
7.5
EPSS
82.8%
CVE-2019-9513 HIGH This Week

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server Ubuntu Linux Debian Linux +16
NVD GitHub
CVSS 3.1
7.5
EPSS
82.0%
CVE-2019-9511 HIGH PATCH This Week

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Swiftnio Traffic Server Ubuntu Linux Debian Linux +16
NVD GitHub
CVSS 3.1
7.5
EPSS
58.4%
CVE-2019-14379 Maven CRITICAL PATCH Act Now

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup),. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Java Prototype Pollution RCE Jackson Databind Debian Linux +22
NVD GitHub
CVSS 3.1
9.8
EPSS
8.0%
CVE-2019-10184 Maven HIGH PATCH This Week

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Undertow Jboss Data Grid Jboss Enterprise Application Platform Openshift Application Runtimes +2
NVD GitHub
CVSS 3.1
7.5
EPSS
3.5%
CVE-2019-3873 CRITICAL Act Now

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jboss Enterprise Application Platform Single Sign On
NVD
CVSS 3.0
9.0
EPSS
0.9%
CVE-2019-3872 MEDIUM This Month

It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jboss Enterprise Application Platform Single Sign On
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2019-3894 HIGH This Week

It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Wildfly Jboss Enterprise Application Platform
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2019-3805 MEDIUM This Month

A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. Rated medium severity (CVSS 4.7). No vendor patch available.

Information Disclosure Jboss Enterprise Application Platform Wildfly
NVD
CVSS 3.1
4.7
EPSS
0.2%
CVE-2018-14642 Maven MEDIUM PATCH This Month

An information leak vulnerability was found in Undertow. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Undertow Jboss Enterprise Application Platform
NVD
CVSS 3.1
5.3
EPSS
2.1%
CVE-2018-1000632 Maven HIGH POC PATCH This Week

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Dom4J Debian Linux Flexcube Investor Servicing Primavera P6 Enterprise Project Portfolio Management +10
NVD GitHub
CVSS 3.1
7.5
EPSS
6.6%
CVE-2018-1336 Maven HIGH PATCH This Week

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Denial Of Service Apache Jboss Enterprise Application Platform Ubuntu Linux +5
NVD
CVSS 3.1
7.5
EPSS
20.6%
CVE-2018-10862 Maven MEDIUM PATCH This Month

WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Virtualization Jboss Enterprise Application Platform Wildfly Core
NVD
CVSS 3.0
5.5
EPSS
1.3%
CVE-2018-8039 Maven HIGH PATCH This Week

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Apache Information Disclosure Cxf Jboss Enterprise Application Platform
NVD GitHub
CVSS 3.0
8.1
EPSS
10.3%
CVE-2018-1000180 Maven HIGH PATCH This Week

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Bc Java Fips Java Api Debian Linux Api Gateway +16
NVD GitHub
CVSS 3.0
7.5
EPSS
3.6%
CVE-2018-1067 Maven MEDIUM PATCH This Month

In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Undertow Jboss Enterprise Application Platform Virtualization Host
NVD
CVSS 3.1
6.1
EPSS
1.8%
CVE-2018-10237 Maven MEDIUM PATCH This Month

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Google Java Denial Of Service Guava Openshift Container Platform +15
NVD
CVSS 3.1
5.9
EPSS
5.1%
CVE-2018-8088 Maven CRITICAL PATCH Act Now

org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Slf4J Jboss Enterprise Application Platform Virtualization Virtualization Host +9
NVD GitHub
CVSS 3.1
9.8
EPSS
15.1%
CVE-2017-12174 Maven HIGH PATCH This Week

It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Artemis Hornetq Jboss Enterprise Application Platform
NVD VulDB
CVSS 3.1
7.5
EPSS
7.4%
CVE-2018-1304 Maven MEDIUM PATCH This Month

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Apache Information Disclosure Tomcat Jboss Enterprise Application Platform Jboss Enterprise Web Server +7
NVD
CVSS 3.0
5.9
EPSS
17.4%
CVE-2018-7489 Maven CRITICAL PATCH Act Now

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Deserialization Jackson Databind Debian Linux Communications Billing And Revenue Management +2
NVD GitHub
CVSS 3.0
9.8
EPSS
20.1%
CVE-2018-1041 HIGH POC THREAT This Week

A vulnerability was found in the way RemoteMessageChannel, introduced in jboss-remoting versions 3.3.10, reads from an empty buffer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Jboss Remoting Jboss Enterprise Application Platform
NVD Exploit-DB
CVSS 3.0
7.5
EPSS
15.8%
CVE-2018-1048 Maven HIGH PATCH This Week

It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal Jboss Enterprise Application Platform
NVD
CVSS 3.1
7.5
EPSS
1.6%
CVE-2018-1047 Maven MEDIUM PATCH This Month

A flaw was found in Wildfly 9.x. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Path Traversal Jboss Wildfly Application Server Jboss Enterprise Application Platform
NVD
CVSS 3.0
5.5
EPSS
0.5%
CVE-2018-5968 Maven HIGH PATCH This Week

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Deserialization Jackson Databind Debian Linux Openshift Container Platform +6
NVD GitHub
CVSS 3.1
8.1
EPSS
7.0%
CVE-2016-8610 HIGH PATCH Act Now

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 71.1%.

Denial Of Service OpenSSL Debian Linux Enterprise Linux Desktop Enterprise Linux Server +41
NVD
CVSS 3.1
7.5
EPSS
71.1%
CVE-2015-7501 Maven CRITICAL EUVD KEV PATCH Act Now

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 71.5%.

Apache Deserialization Java Red Hat Data Grid +14
NVD
CVSS 3.0
9.8
EPSS
71.5%
Threat
4.1
CVE-2017-12629 Maven CRITICAL POC PATCH THREAT Act Now

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.9%.

Apache XXE Elastic RCE Solr +3
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
93.9%
Threat
6.3
CVE-2015-1849 MEDIUM POC This Month

AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.1 allows attackers to obtain sensitive information via vectors involving logging the LDAP bind credential. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Red Hat Information Disclosure Jboss Enterprise Application Platform
NVD GitHub
CVSS 3.0
5.9
EPSS
0.3%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowing attackers with knowledge of an IdP alias to reuse previous login requests and authenticate through administratively disabled external providers. This authentication bypass affects any Keycloak deployment relying on IdP disablement as an access control mechanism. An attacker can exploit this to gain unauthorized access by circumventing intended administrative restrictions on external authentication sources.

Authentication Bypass Build Of Keycloak Jboss Enterprise Application Platform +2
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Undertow HTTP server (used in WildFly, JBoss EAP) fails to validate Host headers, enabling cache poisoning, internal network scanning, and session hijacking. Affects a widely-used Java application server component.

Java Information Disclosure Process Automation +7
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Undertow, a Java web server used across Red Hat's JBoss Enterprise Application Platform, Fuse, and other middleware products, contains a vulnerability that allows attackers to trigger server-side HTTP/2 stream resets without incrementing abuse counters. This 'MadeYouReset' attack enables remote unauthenticated attackers to cause denial of service by repeatedly forcing the server to abort streams and perform unnecessary cleanup work. With an EPSS score of 1.17% (78th percentile), exploitation probability is moderate but rising, and patches have been released across multiple Red Hat product lines as of early 2025.

Denial Of Service Jboss Enterprise Application Platform Expansion Pack Jboss Enterprise Application Platform +6
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found.

Information Disclosure Kubernetes Data Grid +4
NVD GitHub
EPSS 0% CVSS 8.1
HIGH POC PATCH This Week

A flaw was found in Wildfly Elytron integration. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Wildfly Core Data Grid +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jboss Enterprise Application Platform Wildfly +1
NVD GitHub
EPSS 1% CVSS 7.3
HIGH This Week

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Build Of Keycloak Jboss Enterprise Application Platform
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Build Of Apache Camel Hawtio +8
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

A vulnerability was found in jberet-core logging. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jberet Jboss Enterprise Application Platform
NVD GitHub
EPSS 5% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Active Iq Unified Manager Oncommand Workflow Automation +7
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Deserialization Jboss Enterprise Application Platform
NVD
EPSS 54% 4.3 CVSS 5.9
MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js +68
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Data Grid Jboss Data Grid +2
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in Infinispan's REST. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jboss Data Grid Jboss Enterprise Application Platform +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jboss Enterprise Application Platform Single Sign On +1
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in wildfly-core. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jboss Enterprise Application Platform Wildfly Core
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Undertow Openshift Container Platform +5
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A flaw was found in undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Decision Manager +14
NVD GitHub
EPSS 1% CVSS 4.9
MEDIUM This Month

A flaw was found in Undertow. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Integration Camel K Jboss Enterprise Application Platform +7
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A flaw was found in Undertow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Build Of Quarkus Integration Camel K +8
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Jboss Enterprise Application Platform Openstack Platform +1
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

A flaw was found in JBoss-client. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Descision Manager Jboss Enterprise Application Platform +3
NVD GitHub
EPSS 2% CVSS 7.2
HIGH This Week

The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Jboss Enterprise Application Platform
NVD
EPSS 72% CVSS 7.5
HIGH Act Now

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. Epss exploitation probability 72.2% and no vendor patch available.

RCE Deserialization Apache +46
NVD GitHub VulDB
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in postgresql. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

PostgreSQL Information Disclosure Jboss Enterprise Application Platform
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Wildfly Elytron Build Of Quarkus +11
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.

Integer Overflow PostgreSQL Information Disclosure +3
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Build Of Quarkus Data Grid +7
NVD
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Wildfly Fuse +8
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

A flaw was found in JBoss EAP, where the authentication configuration is set-up using a legacy SecurityRealm, to delegate to a legacy PicketBox SecurityDomain, and then reloaded to admin-only mode. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jboss Enterprise Application Platform Openshift Application Runtimes +1
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

OpenSSL Denial Of Service Wildfly Openssl +9
NVD GitHub
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS Request Smuggling Undertow +2
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jboss Data Grid Jboss Enterprise Application Platform +2
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A flaw was found in JBossWeb in versions before 7.5.31.Final-redhat-3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Red Hat Jboss Enterprise Application Platform +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Undertow Oncommand Insight +2
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Request Smuggling Information Disclosure Undertow +7
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

A flaw was found in Hibernate Validator version 6.1.2.Final. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Hibernate Validator Websphere Application Server +5
NVD
EPSS 1% CVSS 4.2
MEDIUM PATCH This Month

A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable.

Authentication Bypass Soteria Jboss Enterprise Application Platform +2
NVD GitHub
EPSS 2% CVSS 8.1
HIGH PATCH This Week

A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Undertow Jboss Data Grid +4
NVD
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Request Smuggling Information Disclosure Netty +5
NVD GitHub
EPSS 3% CVSS 8.8
HIGH PATCH This Week

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Infinispan Fuse +5
NVD
EPSS 17% CVSS 7.5
HIGH This Week

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Jackson Mapper Asl Jboss Enterprise Application Platform +3
NVD
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

A vulnerability was found in Hibernate-Validator. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Hibernate Validator Fuse +186
NVD GitHub
EPSS 7% CVSS 7.5
HIGH PATCH This Week

In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Apache Information Disclosure +3
NVD
EPSS 9% CVSS 7.5
HIGH PATCH This Week

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Apache Thrift +2
NVD
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

A flaw was found in wildfly-core before 7.2.5.GA. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Wildfly Core Jboss Enterprise Application Platform +2
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +21
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Active Iq Unified Manager +10
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Undertow Jboss Data Grid +5
NVD
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Debian Linux +24
NVD GitHub
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Apache Deserialization Jackson Databind +27
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL Act Now

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Jboss Enterprise Application Platform
NVD
EPSS 8% CVSS 7.5
HIGH POC PATCH This Week

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Request Smuggling Information Disclosure Netty +3
NVD GitHub
EPSS 5% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Fedora +15
NVD GitHub
EPSS 11% CVSS 9.8
CRITICAL PATCH Act Now

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Jackson Databind Oncommand Api Services +17
NVD GitHub
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Java Information Disclosure Apache +3
NVD
EPSS 29% CVSS 7.3
HIGH PATCH This Week

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Java Apache Deserialization +60
NVD
EPSS 25% CVSS 7.5
HIGH This Week

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server +16
NVD GitHub
EPSS 27% CVSS 7.5
HIGH PATCH This Week

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Swiftnio Http Server +21
NVD GitHub
EPSS 56% CVSS 6.5
MEDIUM This Month

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server +17
NVD GitHub
EPSS 88% CVSS 7.5
HIGH This Week

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server +20
NVD GitHub
EPSS 83% CVSS 7.5
HIGH PATCH This Week

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server +26
NVD GitHub
EPSS 82% CVSS 7.5
HIGH This Week

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Swiftnio Traffic Server +18
NVD GitHub
EPSS 58% CVSS 7.5
HIGH PATCH This Week

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Swiftnio Traffic Server +18
NVD GitHub
EPSS 8% CVSS 9.8
CRITICAL PATCH Act Now

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup),. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Java Prototype Pollution RCE +24
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

undertow before version 2.0.23.Final is vulnerable to an information leak issue. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass Undertow Jboss Data Grid +4
NVD GitHub
EPSS 1% CVSS 9.0
CRITICAL Act Now

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jboss Enterprise Application Platform Single Sign On
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Jboss Enterprise Application Platform Single Sign On
NVD
EPSS 2% CVSS 8.8
HIGH This Week

It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Wildfly Jboss Enterprise Application Platform
NVD
EPSS 0% CVSS 4.7
MEDIUM This Month

A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. Rated medium severity (CVSS 4.7). No vendor patch available.

Information Disclosure Jboss Enterprise Application Platform Wildfly
NVD
EPSS 2% CVSS 5.3
MEDIUM PATCH This Month

An information leak vulnerability was found in Undertow. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Undertow Jboss Enterprise Application Platform
NVD
EPSS 7% CVSS 7.5
HIGH POC PATCH This Week

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Dom4J Debian Linux +12
NVD GitHub
EPSS 21% CVSS 7.5
HIGH PATCH This Week

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Denial Of Service Apache +7
NVD
EPSS 1% CVSS 5.5
MEDIUM PATCH This Month

WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Virtualization Jboss Enterprise Application Platform +1
NVD
EPSS 10% CVSS 8.1
HIGH PATCH This Week

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required.

Apache Information Disclosure Cxf +1
NVD GitHub
EPSS 4% CVSS 7.5
HIGH PATCH This Week

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Bc Java Fips Java Api +18
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Undertow Jboss Enterprise Application Platform +1
NVD
EPSS 5% CVSS 5.9
MEDIUM PATCH This Month

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Google Java Denial Of Service +17
NVD
EPSS 15% CVSS 9.8
CRITICAL PATCH Act Now

org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Slf4J Jboss Enterprise Application Platform +11
NVD GitHub
EPSS 7% CVSS 7.5
HIGH PATCH This Week

It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Artemis Hornetq +1
NVD VulDB
EPSS 17% CVSS 5.9
MEDIUM PATCH This Month

The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Apache Information Disclosure Tomcat +9
NVD
EPSS 20% CVSS 9.8
CRITICAL PATCH Act Now

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Deserialization Jackson Databind +4
NVD GitHub
EPSS 16% CVSS 7.5
HIGH POC THREAT This Week

A vulnerability was found in the way RemoteMessageChannel, introduced in jboss-remoting versions 3.3.10, reads from an empty buffer. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Jboss Remoting Jboss Enterprise Application Platform
NVD Exploit-DB
EPSS 2% CVSS 7.5
HIGH PATCH This Week

It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal Jboss Enterprise Application Platform
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A flaw was found in Wildfly 9.x. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Path Traversal Jboss Wildfly Application Server +1
NVD
EPSS 7% CVSS 8.1
HIGH PATCH This Week

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Deserialization Jackson Databind +8
NVD GitHub
EPSS 71% CVSS 7.5
HIGH PATCH Act Now

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 71.1%.

Denial Of Service OpenSSL Debian Linux +43
NVD
EPSS 71% 4.1 CVSS 9.8
CRITICAL EUVD KEV PATCH Act Now

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 71.5%.

Apache Deserialization Java +16
NVD
EPSS 94% 6.3 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.9%.

Apache XXE Elastic +5
NVD Exploit-DB
EPSS 0% CVSS 5.9
MEDIUM POC This Month

AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.1 allows attackers to obtain sensitive information via vectors involving logging the LDAP bind credential. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Red Hat Information Disclosure Jboss Enterprise Application Platform
NVD GitHub
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy