Filtered by vendor Redhat Subscriptions
Filtered by product Jboss Data Virtualization Subscriptions
Total 64 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2023-1932 1 Redhat 20 A Mq Clients, Amq Broker, Amq Online and 17 more 2024-11-08 6.1 Medium
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.
CVE-2022-1415 1 Redhat 16 Camel Quarkus, Camel Spring Boot, Decision Manager and 13 more 2024-09-25 8.1 High
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
CVE-2018-1335 2 Apache, Redhat 2 Tika, Jboss Data Virtualization 2024-09-17 N/A
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
CVE-2017-7525 5 Debian, Fasterxml, Netapp and 2 more 30 Debian Linux, Jackson-databind, Oncommand Balance and 27 more 2024-09-17 9.8 Critical
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
CVE-2017-5637 3 Apache, Debian, Redhat 5 Zookeeper, Debian Linux, Jboss Bpms and 2 more 2024-09-17 N/A
Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later.
CVE-2016-6814 2 Apache, Redhat 7 Groovy, Enterprise Linux, Enterprise Linux Server and 4 more 2024-09-16 N/A
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
CVE-2016-5397 2 Apache, Redhat 3 Thrift, Jboss Data Virtualization, Jboss Fuse 2024-09-16 N/A
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
CVE-2012-6153 2 Apache, Redhat 13 Commons-httpclient, Developer Toolset, Jboss Bpms and 10 more 2024-08-06 N/A
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
CVE-2013-7285 2 Redhat, Xstream Project 15 Fuse Esb Enterprise, Fuse Management Console, Fuse Mq Enterprise and 12 more 2024-08-06 9.8 Critical
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
CVE-2013-5855 2 Oracle, Redhat 8 Mojarra, Jboss Bpms, Jboss Brms and 5 more 2024-08-06 N/A
Oracle Mojarra 2.2.x before 2.2.6 and 2.1.x before 2.1.28 does not perform appropriate encoding when a (1) <h:outputText> tag or (2) EL expression is used after a scriptor style block, which allows remote attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors.
CVE-2013-4517 2 Apache, Redhat 10 Santuario Xml Security For Java, Jboss Bpms, Jboss Brms and 7 more 2024-08-06 N/A
Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
CVE-2013-4286 2 Apache, Redhat 11 Tomcat, Enterprise Linux, Jboss Bpms and 8 more 2024-08-06 N/A
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
CVE-2013-4002 10 Apache, Canonical, Hp and 7 more 31 Xerces2 Java, Ubuntu Linux, Hp-ux and 28 more 2024-08-06 N/A
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
CVE-2013-2035 1 Redhat 12 Fuse Mq Enterprise, Hawtjni, Jboss Amq and 9 more 2024-08-06 N/A
Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java in HawtJNI before 1.8, when a custom library path is not specified, allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.
CVE-2014-9527 3 Apache, Fedoraproject, Redhat 3 Poi, Fedora, Jboss Data Virtualization 2024-08-06 N/A
HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.
CVE-2014-8122 1 Redhat 7 Jboss Bpms, Jboss Brms, Jboss Data Grid and 4 more 2024-08-06 N/A
Race condition in JBoss Weld before 2.2.8 and 3.x before 3.0.0 Alpha3 allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state.
CVE-2014-7839 1 Redhat 7 Jboss Bpms, Jboss Brms, Jboss Data Grid and 4 more 2024-08-06 N/A
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.
CVE-2014-3578 2 Pivotal Software, Redhat 5 Spring Framework, Jboss Bpms, Jboss Brms and 2 more 2024-08-06 N/A
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
CVE-2014-3574 2 Apache, Redhat 6 Poi, Jboss Bpms, Jboss Brms and 3 more 2024-08-06 N/A
Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
CVE-2014-3623 2 Apache, Redhat 8 Cxf, Wss4j, Jboss Amq and 5 more 2024-08-06 N/A
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.