Skip to main content

Jboss Enterprise Application Platform

152 CVEs product

Monthly

CVE-2017-7561 Maven HIGH PATCH This Week

Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Red Hat Information Disclosure Jboss Enterprise Application Platform
NVD
CVSS 3.0
7.5
EPSS
1.1%
CVE-2016-6311 MEDIUM This Month

Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jboss Enterprise Application Platform
NVD
CVSS 3.0
5.3
EPSS
0.3%
CVE-2016-6796 Maven HIGH PATCH This Week

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Authentication Bypass Apache Debian Linux Oncommand Insight +12
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2016-5018 Maven CRITICAL POC PATCH Act Now

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Tomcat Authentication Bypass Apache Oncommand Insight Oncommand Shift +12
NVD
CVSS 3.1
9.1
EPSS
0.9%
CVE-2017-9788 CRITICAL PATCH Act Now

In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 49.5%.

Denial Of Service Apache Http Server Debian Linux Mac Os X +13
NVD
CVSS 3.0
9.1
EPSS
49.5%
CVE-2016-3690 CRITICAL Act Now

The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Jboss Enterprise Application Platform
NVD
CVSS 3.0
9.8
EPSS
1.8%
CVE-2017-7504 CRITICAL Emergency

HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 90.3% and no vendor patch available.

Deserialization Java Red Hat RCE Jboss Enterprise Application Platform
NVD
CVSS 3.0
9.8
EPSS
90.3%
Threat
4.7
CVE-2017-7503 CRITICAL Act Now

It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Red Hat Jboss Enterprise Application Platform
NVD
CVSS 3.0
9.8
EPSS
0.7%
CVE-2016-7065 HIGH POC THREAT Act Now

The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.1%.

RCE Deserialization Denial Of Service Java Red Hat +1
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
12.1%
CVE-2016-7046 Maven MEDIUM PATCH This Month

Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a denial of service (CPU and disk consumption) via. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Red Hat Denial Of Service Jboss Enterprise Application Platform
NVD
CVSS 3.0
5.9
EPSS
4.1%
CVE-2016-4978 Maven HIGH PATCH This Week

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Apache Activemq Artemis Jboss Enterprise Application Platform
NVD VulDB
CVSS 3.1
7.2
EPSS
1.4%
CVE-2016-5406 HIGH This Week

The domain controller in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2 allows remote authenticated users to gain privileges by leveraging failure to propagate administrative. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform
NVD
CVSS 3.0
8.8
EPSS
1.5%
CVE-2016-4993 Maven MEDIUM PATCH This Month

CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Red Hat Code Injection Jboss Enterprise Application Platform Jboss Wildfly Application Server
NVD
CVSS 3.0
6.1
EPSS
1.5%
CVE-2016-3110 Maven HIGH PATCH This Week

mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote attackers to cause a denial of service (Apache http server crash) via an MCMP message containing a series of = (equals) characters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Red Hat Denial Of Service Apache Jboss Enterprise Application Platform Jboss Enterprise Web Server +1
NVD
CVSS 3.0
7.5
EPSS
3.2%
CVE-2016-2141 Maven CRITICAL PATCH Act Now

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jgroups Jboss Enterprise Application Platform
NVD
CVSS 3.1
9.8
EPSS
1.5%
CVE-2015-5304 LOW Monitor

Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does not properly authorize access to shut down the server, which allows remote authenticated users with the Monitor, Deployer, or. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Privilege Escalation Denial Of Service Jboss Enterprise Application Platform
NVD
CVSS 2.0
3.5
EPSS
1.3%
CVE-2015-5220 MEDIUM PATCH This Month

The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 and WildFly (formerly JBoss Application Server) allows remote attackers to cause a denial of service (memory consumption). Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Denial Of Service Red Hat Buffer Overflow Jboss Enterprise Application Platform Jboss Wildfly Application Server
NVD
CVSS 2.0
5.0
EPSS
1.5%
CVE-2015-5188 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF File Upload Red Hat Jboss Enterprise Application Platform Jboss Wildfly Application Server
NVD
CVSS 2.0
6.8
EPSS
0.3%
CVE-2015-5178 MEDIUM This Month

The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Information Disclosure Jboss Wildfly Application Server Jboss Enterprise Application Platform
NVD
CVSS 2.0
4.3
EPSS
0.5%
CVE-2014-3586 LOW Monitor

The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform
NVD
CVSS 2.0
2.1
EPSS
0.1%
CVE-2014-0005 LOW Monitor

PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the. Rated low severity (CVSS 3.6), this vulnerability is low attack complexity. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform Jboss Enterprise Brms Platform
NVD
CVSS 2.0
3.6
EPSS
0.2%
CVE-2014-7853 MEDIUM This Month

The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Information Disclosure Jboss Operations Network Jboss Enterprise Application Platform
NVD
CVSS 2.0
4.0
EPSS
0.4%
CVE-2014-7849 MEDIUM This Month

The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform
NVD
CVSS 2.0
4.0
EPSS
0.4%
CVE-2014-7827 LOW Monitor

The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform
NVD
CVSS 2.0
3.5
EPSS
0.3%
CVE-2014-0059 LOW Monitor

JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Red Hat Information Disclosure Jboss Enterprise Application Platform
NVD
CVSS 2.0
2.1
EPSS
0.1%
CVE-2014-3490 Maven HIGH PATCH This Week

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Red Hat XXE Jboss Enterprise Application Platform Resteasy
NVD GitHub
CVSS 2.0
7.5
EPSS
4.6%
CVE-2014-3472 MEDIUM This Month

The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles,. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform
NVD
CVSS 2.0
4.9
EPSS
0.2%
CVE-2014-3464 MEDIUM This Month

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform
NVD
CVSS 2.0
5.5
EPSS
0.2%
CVE-2014-3530 Maven HIGH PATCH This Week

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Red Hat XXE Information Disclosure RCE Jboss Enterprise Application Platform
NVD
CVSS 2.0
7.5
EPSS
2.1%
CVE-2014-3518 MEDIUM This Month

jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

RCE Code Injection Red Hat Jboss Enterprise Application Platform Jboss Enterprise Brms Platform +2
NVD
CVSS 2.0
6.8
EPSS
1.7%
CVE-2014-0226 MEDIUM POC PATCH THREAT This Month

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 75.4%.

Race Condition Denial Of Service Buffer Overflow RCE Apache +6
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
75.4%
Threat
5.1
CVE-2014-0118 MEDIUM PATCH This Month

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 41.3%.

Denial Of Service Apache Http Server Debian Linux Jboss Enterprise Application Platform +1
NVD
CVSS 2.0
4.3
EPSS
41.3%
CVE-2014-3481 MEDIUM This Month

org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat XXE Information Disclosure Jboss Enterprise Application Platform
NVD
CVSS 2.0
5.0
EPSS
1.1%
CVE-2014-0248 MEDIUM This Month

org.jboss.seam.web.AuthenticationFilter in Red Hat JBoss Web Framework Kit 2.5.0, JBoss Enterprise Application Platform (JBEAP) 5.2.0, and JBoss Enterprise Web Platform (JBEWP) 5.2.0 allows remote. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

RCE Code Injection Red Hat Jboss Enterprise Application Platform Jboss Enterprise Web Platform +1
NVD
CVSS 2.0
6.8
EPSS
2.3%
CVE-2014-0035 Maven MEDIUM PATCH This Month

The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Apache Cxf Jboss Enterprise Application Platform
NVD
CVSS 2.0
4.3
EPSS
1.0%
CVE-2014-0034 Maven MEDIUM PATCH This Month

The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Apache Cxf Jboss Enterprise Application Platform
NVD
CVSS 2.0
4.3
EPSS
1.9%
CVE-2014-0224 HIGH POC PATCH THREAT Act Now

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 89.7%.

Information Disclosure OpenSSL Jboss Enterprise Application Platform Jboss Enterprise Web Platform Jboss Enterprise Web Server +12
NVD
CVSS 3.1
7.4
EPSS
89.7%
Threat
5.7
CVE-2014-0093 MEDIUM This Month

Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2, when using a Java Security Manager (JSM), does not properly apply permissions defined by a policy file, which causes applications to be. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Privilege Escalation Java Jboss Enterprise Application Platform
NVD VulDB
CVSS 2.0
5.8
EPSS
0.3%
CVE-2014-0058 LOW Monitor

The security audit functionality in Red Hat JBoss Enterprise Application Platform (EAP) 6.x before 6.2.1 logs request parameters in plaintext, which might allow local users to obtain passwords by. Rated low severity (CVSS 1.9). No vendor patch available.

Red Hat Information Disclosure Jboss Enterprise Application Platform
NVD
CVSS 2.0
1.9
EPSS
0.1%
CVE-2014-0018 LOW Monitor

Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container. Rated low severity (CVSS 1.9). No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform Jboss Wildfly Application Server
NVD
CVSS 2.0
1.9
EPSS
0.1%
CVE-2012-3427 LOW Monitor

EC2 Amazon Machine Image (AMI) in JBoss Enterprise Application Platform (EAP) 5.1.2 uses 755 permissions for /var/cache/jboss-ec2-eap/, which allows local users to read sensitive information such as. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform
NVD
CVSS 2.0
2.1
EPSS
0.1%
CVE-2013-2185 Maven HIGH PATCH This Week

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Red Hat Apache Information Disclosure Jboss Enterprise Application Platform +1
NVD
CVSS 2.0
7.5
EPSS
5.3%
CVE-2013-2133 MEDIUM This Month

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform Enterprise Linux
NVD
CVSS 2.0
5.5
EPSS
0.3%
CVE-2012-4572 LOW Monitor

Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an. Rated low severity (CVSS 3.7). No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform Jboss Enterprise Portal Platform
NVD
CVSS 2.0
3.7
EPSS
0.2%
CVE-2012-4529 MEDIUM This Month

The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Apache Information Disclosure Jboss Community Application Server Jboss Enterprise Application Platform
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2013-4210 MEDIUM This Month

The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, and other. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Denial Of Service Jboss Enterprise Application Platform Jboss Enterprise Brms Platform Jboss Enterprise Soa Platform +1
NVD
CVSS 2.0
5.0
EPSS
1.3%
CVE-2013-4112 Maven MEDIUM PATCH This Month

The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code. Rated medium severity (CVSS 5.4). This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure RCE Jgroup Jboss Enterprise Application Platform
NVD
CVSS 2.0
5.4
EPSS
0.6%
CVE-2013-1921 LOW Monitor

PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. Rated low severity (CVSS 1.9). No vendor patch available.

Red Hat Hashicorp Information Disclosure Jboss Enterprise Application Platform
NVD
CVSS 2.0
1.9
EPSS
0.1%
CVE-2012-5575 Maven MEDIUM PATCH This Month

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Cxf Jboss Enterprise Application Platform Jboss Enterprise Portal Platform +3
NVD
CVSS 2.0
6.4
EPSS
9.5%
CVE-2013-4213 MEDIUM This Month

Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Authentication Bypass Jboss Enterprise Application Platform
NVD
CVSS 2.0
6.4
EPSS
0.6%
CVE-2013-4128 MEDIUM This Month

Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by remote-naming, which allows remote attackers to hijack sessions by using a remoting client. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Information Disclosure Jboss Enterprise Application Platform
NVD
CVSS 2.0
6.4
EPSS
0.7%
CVE-2013-2165 Maven HIGH PATCH Act Now

ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 24.1%.

Red Hat Privilege Escalation Java Deserialization RCE +8
NVD
CVSS 2.0
7.5
EPSS
24.1%
CVE-2013-1896 MEDIUM POC THREAT This Month

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 38.6%.

Denial Of Service Apache Http Server Jboss Enterprise Application Platform Enterprise Linux Desktop +7
NVD
CVSS 2.0
4.3
EPSS
38.6%
CVE-2013-1862 MEDIUM PATCH This Month

mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. Epss exploitation probability 39.6%.

Apache Information Disclosure Http Server Jboss Enterprise Application Platform Enterprise Linux Desktop +7
NVD
CVSS 2.0
5.1
EPSS
39.6%
CVE-2012-5629 HIGH This Week

The default configuration of the (1) LdapLoginModule and (2) LdapExtLoginModule modules in JBoss Enterprise Application Platform (EAP) 4.3.0 CP10, 5.2.0, and 6.0.1, and Enterprise Web Platform (EWP). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform Jboss Enterprise Web Platform
NVD
CVSS 2.0
7.5
EPSS
0.8%
CVE-2013-0218 LOW Monitor

The GUI installer in JBoss Enterprise Application Platform (EAP) and Enterprise Web Platform (EWP) 5.2.0 and possibly 5.1.2 uses world-readable permissions for the auto-install XML file, which allows. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Jboss Enterprise Application Platform Jboss Enterprise Web Platform
NVD
CVSS 2.0
2.1
EPSS
0.0%
CVE-2012-5478 MEDIUM This Month

The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform Jboss Enterprise Web Platform Jboss Enterprise Brms Platform
NVD
CVSS 2.0
4.9
EPSS
0.5%
CVE-2012-3370 MEDIUM This Month

The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform Jboss Enterprise Web Platform Jboss Enterprise Brms Platform
NVD
CVSS 2.0
5.8
EPSS
1.7%
CVE-2012-3369 MEDIUM This Month

The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Jboss Enterprise Web Platform Jboss Enterprise Application Platform Jboss Enterprise Brms Platform
NVD
CVSS 2.0
4.0
EPSS
1.3%
CVE-2012-0034 LOW Monitor

The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2 and 5.2.0, and BRMS Platform before 5.3.1 logs the username and password in. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Jboss Enterprise Application Platform Jboss Enterprise Web Platform Jboss Enterprise Brms Platform
NVD
CVSS 2.0
2.1
EPSS
0.1%
CVE-2012-1167 MEDIUM This Month

The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform Jboss Enterprise Brms Platform Jboss Enterprise Soa Platform Jboss Enterprise Web Platform
NVD
CVSS 2.0
4.6
EPSS
0.8%
CVE-2012-1154 Maven MEDIUM PATCH This Month

mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Jboss Enterprise Application Platform Mod Cluster
NVD
CVSS 2.0
4.3
EPSS
0.3%
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Red Hat Information Disclosure Jboss Enterprise Application Platform
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jboss Enterprise Application Platform
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Tomcat Authentication Bypass Apache +14
NVD
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Tomcat Authentication Bypass Apache +14
NVD
EPSS 49% CVSS 9.1
CRITICAL PATCH Act Now

In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 49.5%.

Denial Of Service Apache Http Server +15
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Jboss Enterprise Application Platform
NVD
EPSS 90% 4.7 CVSS 9.8
CRITICAL Emergency

HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 90.3% and no vendor patch available.

Deserialization Java Red Hat +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF XXE Red Hat +1
NVD
EPSS 12% CVSS 8.8
HIGH POC THREAT Act Now

The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 12.1%.

RCE Deserialization Denial Of Service +3
NVD Exploit-DB
EPSS 4% CVSS 5.9
MEDIUM PATCH This Month

Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a denial of service (CPU and disk consumption) via. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Red Hat Denial Of Service Jboss Enterprise Application Platform
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Apache +2
NVD VulDB
EPSS 2% CVSS 8.8
HIGH This Week

The domain controller in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2 allows remote authenticated users to gain privileges by leveraging failure to propagate administrative. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Red Hat Code Injection Jboss Enterprise Application Platform +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote attackers to cause a denial of service (Apache http server crash) via an MCMP message containing a series of = (equals) characters. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Red Hat Denial Of Service Apache +3
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jgroups Jboss Enterprise Application Platform
NVD
EPSS 1% CVSS 3.5
LOW Monitor

Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does not properly authorize access to shut down the server, which allows remote authenticated users with the Monitor, Deployer, or. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Privilege Escalation Denial Of Service +1
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 and WildFly (formerly JBoss Application Server) allows remote attackers to cause a denial of service (memory consumption). Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Denial Of Service Red Hat Buffer Overflow +2
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

CSRF File Upload Red Hat +2
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Information Disclosure Jboss Wildfly Application Server +1
NVD
EPSS 0% CVSS 2.1
LOW Monitor

The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform
NVD
EPSS 0% CVSS 3.6
LOW Monitor

PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the. Rated low severity (CVSS 3.6), this vulnerability is low attack complexity. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform +1
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Information Disclosure Jboss Operations Network +1
NVD
EPSS 0% CVSS 4.0
MEDIUM This Month

The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform
NVD
EPSS 0% CVSS 3.5
LOW Monitor

The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform
NVD
EPSS 0% CVSS 2.1
LOW Monitor

JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Red Hat Information Disclosure Jboss Enterprise Application Platform
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Red Hat XXE Jboss Enterprise Application Platform +1
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM This Month

The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles,. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Red Hat XXE Information Disclosure +2
NVD
EPSS 2% CVSS 6.8
MEDIUM This Month

jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

RCE Code Injection Red Hat +4
NVD
EPSS 75% 5.1 CVSS 6.8
MEDIUM POC PATCH THREAT This Month

Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 75.4%.

Race Condition Denial Of Service Buffer Overflow +8
NVD Exploit-DB
EPSS 41% CVSS 4.3
MEDIUM PATCH This Month

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Epss exploitation probability 41.3%.

Denial Of Service Apache Http Server +3
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat XXE Information Disclosure +1
NVD
EPSS 2% CVSS 6.8
MEDIUM This Month

org.jboss.seam.web.AuthenticationFilter in Red Hat JBoss Web Framework Kit 2.5.0, JBoss Enterprise Application Platform (JBEAP) 5.2.0, and JBoss Enterprise Web Platform (JBEWP) 5.2.0 allows remote. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

RCE Code Injection Red Hat +3
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Apache Cxf +1
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Apache Cxf +1
NVD
EPSS 90% 5.7 CVSS 7.4
HIGH POC PATCH THREAT Act Now

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 89.7%.

Information Disclosure OpenSSL Jboss Enterprise Application Platform +14
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2, when using a Java Security Manager (JSM), does not properly apply permissions defined by a policy file, which causes applications to be. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Privilege Escalation Java +1
NVD VulDB
EPSS 0% CVSS 1.9
LOW Monitor

The security audit functionality in Red Hat JBoss Enterprise Application Platform (EAP) 6.x before 6.2.1 logs request parameters in plaintext, which might allow local users to obtain passwords by. Rated low severity (CVSS 1.9). No vendor patch available.

Red Hat Information Disclosure Jboss Enterprise Application Platform
NVD
EPSS 0% CVSS 1.9
LOW Monitor

Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container. Rated low severity (CVSS 1.9). No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform +1
NVD
EPSS 0% CVSS 2.1
LOW Monitor

EC2 Amazon Machine Image (AMI) in JBoss Enterprise Application Platform (EAP) 5.1.2 uses 755 permissions for /var/cache/jboss-ec2-eap/, which allows local users to read sensitive information such as. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform
NVD
EPSS 5% CVSS 7.5
HIGH PATCH This Week

The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Tomcat Red Hat Apache +3
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform +1
NVD
EPSS 0% CVSS 3.7
LOW Monitor

Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an. Rated low severity (CVSS 3.7). No vendor patch available.

Red Hat Privilege Escalation Jboss Enterprise Application Platform +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Red Hat Apache Information Disclosure +2
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, and other. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Denial Of Service Jboss Enterprise Application Platform +3
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code. Rated medium severity (CVSS 5.4). This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure RCE Jgroup +1
NVD
EPSS 0% CVSS 1.9
LOW Monitor

PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. Rated low severity (CVSS 1.9). No vendor patch available.

Red Hat Hashicorp Information Disclosure +1
NVD
EPSS 10% CVSS 6.4
MEDIUM PATCH This Month

Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Apache Information Disclosure Cxf +5
NVD
EPSS 1% CVSS 6.4
MEDIUM This Month

Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Authentication Bypass Jboss Enterprise Application Platform
NVD
EPSS 1% CVSS 6.4
MEDIUM This Month

Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by remote-naming, which allows remote attackers to hijack sessions by using a remoting client. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Red Hat Information Disclosure Jboss Enterprise Application Platform
NVD
EPSS 24% CVSS 7.5
HIGH PATCH Act Now

ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 24.1%.

Red Hat Privilege Escalation Java +10
NVD
EPSS 39% CVSS 4.3
MEDIUM POC THREAT This Month

mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and EPSS exploitation probability 38.6%.

Denial Of Service Apache Http Server +9
NVD
EPSS 40% CVSS 5.1
MEDIUM PATCH This Month

mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. Epss exploitation probability 39.6%.

Apache Information Disclosure Http Server +9
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The default configuration of the (1) LdapLoginModule and (2) LdapExtLoginModule modules in JBoss Enterprise Application Platform (EAP) 4.3.0 CP10, 5.2.0, and 6.0.1, and Enterprise Web Platform (EWP). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform Jboss Enterprise Web Platform
NVD
EPSS 0% CVSS 2.1
LOW Monitor

The GUI installer in JBoss Enterprise Application Platform (EAP) and Enterprise Web Platform (EWP) 5.2.0 and possibly 5.1.2 uses world-readable permissions for the auto-install XML file, which allows. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Jboss Enterprise Application Platform Jboss Enterprise Web Platform
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

The AuthorizationInterceptor in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 does not properly. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform Jboss Enterprise Web Platform +1
NVD
EPSS 2% CVSS 5.8
MEDIUM This Month

The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform Jboss Enterprise Web Platform +1
NVD
EPSS 1% CVSS 4.0
MEDIUM This Month

The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Jboss Enterprise Web Platform Jboss Enterprise Application Platform +1
NVD
EPSS 0% CVSS 2.1
LOW Monitor

The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2 and 5.2.0, and BRMS Platform before 5.3.1 logs the username and password in. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Jboss Enterprise Application Platform Jboss Enterprise Web Platform +1
NVD
EPSS 1% CVSS 4.6
MEDIUM This Month

The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Jboss Enterprise Application Platform Jboss Enterprise Brms Platform +2
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Jboss Enterprise Application Platform Mod Cluster
NVD
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy