Filtered by vendor Redhat
Subscriptions
Filtered by product Jboss Enterprise Bpms Platform
Subscriptions
Total
205 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-4492 | 1 Redhat | 16 Build Of Quarkus, Camel Spring Boot, Integration Camel For Spring Boot and 13 more | 2024-08-03 | 7.5 High |
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compulsory step (at least it should be performed by default) in https and in http/2. I would add it to any TLS client protocol. | ||||
CVE-2022-4245 | 2 Codehaus-plexus Project, Redhat | 23 Codehaus-plexus, A Mq Clients, Amq Broker and 20 more | 2024-08-03 | 4.3 Medium |
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection. | ||||
CVE-2022-4244 | 2 Codehaus-plexus Project, Redhat | 23 Codehaus-plexus, A Mq Clients, Amq Broker and 20 more | 2024-08-03 | 7.5 High |
A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files. | ||||
CVE-2022-3782 | 1 Redhat | 8 Amq Broker, Jboss Enterprise Bpms Platform, Keycloak and 5 more | 2024-08-03 | 9.1 Critical |
keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field. | ||||
CVE-2022-3509 | 2 Google, Redhat | 5 Protobuf-java, Protobuf-javalite, Jboss Enterprise Bpms Platform and 2 more | 2024-08-03 | 7.5 High |
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. | ||||
CVE-2022-3510 | 2 Google, Redhat | 5 Protobuf-java, Protobuf-javalite, Jboss Enterprise Bpms Platform and 2 more | 2024-08-03 | 7.5 High |
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. | ||||
CVE-2022-3171 | 3 Fedoraproject, Google, Redhat | 10 Fedora, Google-protobuf, Protobuf-java and 7 more | 2024-08-03 | 4.3 Medium |
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above. | ||||
CVE-2022-3143 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jboss Enterprise Bpms Platform, Wildfly Elytron | 2024-08-03 | 7.4 High |
wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses java.util.Arrays.equals in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use java.security.MessageDigest.isEqual instead. This flaw allows an attacker to access secure information or impersonate an authed user. | ||||
CVE-2022-2458 | 1 Redhat | 2 Jboss Enterprise Bpms Platform, Process Automation Manager | 2024-08-03 | 8.2 High |
XML external entity injection(XXE) is a vulnerability that allows an attacker to interfere with an application's processing of XML data. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Here, XML external entity injection lead to External Service interaction & Internal file read in Business Central and also Kie-Server APIs. | ||||
CVE-2022-1650 | 3 Debian, Eventsource, Redhat | 11 Debian Linux, Eventsource, Ceph Storage and 8 more | 2024-08-03 | 8.1 High |
Improper Removal of Sensitive Information Before Storage or Transfer in GitHub repository eventsource/eventsource prior to v2.0.2. | ||||
CVE-2022-1415 | 1 Redhat | 16 Camel Quarkus, Camel Spring Boot, Decision Manager and 13 more | 2024-08-03 | 8.1 High |
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server. | ||||
CVE-2022-1365 | 2 Cross-fetch Project, Redhat | 4 Cross-fetch, Acm, Jboss Enterprise Bpms Platform and 1 more | 2024-08-03 | 6.5 Medium |
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5. | ||||
CVE-2022-0722 | 2 Parse-url Project, Redhat | 2 Parse-url, Jboss Enterprise Bpms Platform | 2024-08-02 | 7.5 High |
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to 7.0.0. | ||||
CVE-2022-0235 | 4 Debian, Node-fetch Project, Redhat and 1 more | 14 Debian Linux, Node-fetch, Acm and 11 more | 2024-08-02 | 6.1 Medium |
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor | ||||
CVE-2023-33201 | 2 Bouncycastle, Redhat | 10 Bc-java, Amq Broker, Amq Streams and 7 more | 2024-08-02 | 5.3 Medium |
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability. | ||||
CVE-2023-24998 | 3 Apache, Debian, Redhat | 7 Commons Fileupload, Debian Linux, Camel Spring Boot and 4 more | 2024-08-02 | 7.5 High |
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. | ||||
CVE-2023-20883 | 2 Redhat, Vmware | 5 Camel Spring Boot, Jboss Enterprise Bpms Platform, Jboss Fuse and 2 more | 2024-08-02 | 7.5 High |
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache. | ||||
CVE-2023-20860 | 2 Redhat, Vmware | 9 Amq Broker, Camel Spring Boot, Jboss Enterprise Bpms Platform and 6 more | 2024-08-02 | 7.5 High |
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass. | ||||
CVE-2023-20861 | 2 Redhat, Vmware | 8 Amq Broker, Camel Spring Boot, Jboss Enterprise Bpms Platform and 5 more | 2024-08-02 | 6.5 Medium |
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition. | ||||
CVE-2023-6481 | 2 Qos, Redhat | 6 Logback, Amq Broker, Camel Spring Boot and 3 more | 2024-08-02 | 7.1 High |
A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. |