Filtered by vendor Redhat
Subscriptions
Filtered by product Jboss Fuse
Subscriptions
Total
560 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-14297 | 1 Redhat | 9 A Mq Clients, Amq, Jboss-ejb-client and 6 more | 2024-11-21 | 6.5 Medium |
| A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take advantage and cause denial of service attack and make services unavailable. | ||||
| CVE-2020-14195 | 5 Debian, Fasterxml, Netapp and 2 more | 17 Debian Linux, Jackson-databind, Active Iq Unified Manager and 14 more | 2024-11-21 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). | ||||
| CVE-2020-14062 | 5 Debian, Fasterxml, Netapp and 2 more | 18 Debian Linux, Jackson-databind, Active Iq Unified Manager and 15 more | 2024-11-21 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). | ||||
| CVE-2020-14061 | 5 Debian, Fasterxml, Netapp and 2 more | 20 Debian Linux, Jackson-databind, Active Iq Unified Manager and 17 more | 2024-11-21 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). | ||||
| CVE-2020-14060 | 4 Fasterxml, Netapp, Oracle and 1 more | 17 Jackson-databind, Active Iq Unified Manager, Steelstore Cloud Integrated Storage and 14 more | 2024-11-21 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). | ||||
| CVE-2020-14040 | 3 Fedoraproject, Golang, Redhat | 16 Fedora, Text, 3scale Amp and 13 more | 2024-11-21 | 7.5 High |
| The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String. | ||||
| CVE-2020-13956 | 5 Apache, Netapp, Oracle and 2 more | 27 Httpclient, Active Iq Unified Manager, Snapcenter and 24 more | 2024-11-21 | 5.3 Medium |
| Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. | ||||
| CVE-2020-13954 | 4 Apache, Netapp, Oracle and 1 more | 8 Cxf, Snap Creator Framework, Vasa Provider For Clustered Data Ontap and 5 more | 2024-11-21 | 6.1 Medium |
| By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573. | ||||
| CVE-2020-13949 | 3 Apache, Oracle, Redhat | 6 Hive, Thrift, Communications Cloud Native Core Network Slice Selection Function and 3 more | 2024-11-21 | 7.5 High |
| In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. | ||||
| CVE-2020-13943 | 4 Apache, Debian, Oracle and 1 more | 7 Tomcat, Debian Linux, Instantis Enterprisetrack and 4 more | 2024-11-21 | 4.3 Medium |
| If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. | ||||
| CVE-2020-13936 | 4 Apache, Debian, Oracle and 1 more | 21 Velocity Engine, Wss4j, Debian Linux and 18 more | 2024-11-21 | 8.8 High |
| An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2. | ||||
| CVE-2020-13935 | 8 Apache, Canonical, Debian and 5 more | 23 Tomcat, Ubuntu Linux, Debian Linux and 20 more | 2024-11-21 | 7.5 High |
| The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. | ||||
| CVE-2020-13934 | 7 Apache, Canonical, Debian and 4 more | 17 Tomcat, Ubuntu Linux, Debian Linux and 14 more | 2024-11-21 | 7.5 High |
| An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. | ||||
| CVE-2020-13933 | 3 Apache, Debian, Redhat | 4 Shiro, Debian Linux, Jboss Amq and 1 more | 2024-11-21 | 7.5 High |
| Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. | ||||
| CVE-2020-13920 | 4 Apache, Debian, Oracle and 1 more | 7 Activemq, Debian Linux, Communications Diameter Signaling Router and 4 more | 2024-11-21 | 5.9 Medium |
| Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the "jmxrmi" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12. | ||||
| CVE-2020-13692 | 6 Debian, Fedoraproject, Netapp and 3 more | 14 Debian Linux, Fedora, Steelstore Cloud Integrated Storage and 11 more | 2024-11-21 | 7.7 High |
| PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. | ||||
| CVE-2020-11996 | 7 Apache, Canonical, Debian and 4 more | 11 Tomcat, Ubuntu Linux, Debian Linux and 8 more | 2024-11-21 | 7.5 High |
| A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. | ||||
| CVE-2020-11994 | 3 Apache, Oracle, Redhat | 5 Camel, Communications Diameter Signaling Router, Enterprise Manager Base Platform and 2 more | 2024-11-21 | 7.5 High |
| Server-Side Template Injection and arbitrary file disclosure on Camel templating components | ||||
| CVE-2020-11989 | 2 Apache, Redhat | 2 Shiro, Jboss Fuse | 2024-11-21 | 9.8 Critical |
| Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass. | ||||
| CVE-2020-11988 | 3 Apache, Fedoraproject, Redhat | 5 Xmlgraphics Commons, Fedora, Jboss Enterprise Bpms Platform and 2 more | 2024-11-21 | 8.2 High |
| Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later. | ||||