Filtered by vendor Redhat
Subscriptions
Filtered by product Jboss Enterprise Application Platform
Subscriptions
Total
528 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-16869 | 4 Canonical, Debian, Netty and 1 more | 14 Ubuntu Linux, Debian Linux, Netty and 11 more | 2024-08-05 | 7.5 High |
| Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling. | ||||
| CVE-2019-16942 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 37 Debian Linux, Jackson-databind, Fedora and 34 more | 2024-08-05 | 9.8 Critical |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. | ||||
| CVE-2019-16943 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 36 Debian Linux, Jackson-databind, Fedora and 33 more | 2024-08-05 | 9.8 Critical |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling. | ||||
| CVE-2019-16335 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 26 Debian Linux, Jackson-databind, Fedora and 23 more | 2024-08-05 | 9.8 Critical |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540. | ||||
| CVE-2019-14885 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jboss Single Sign On, Single Sign-on | 2024-08-05 | 4.3 Medium |
| A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information. | ||||
| CVE-2019-14893 | 4 Fasterxml, Netapp, Oracle and 1 more | 12 Jackson-databind, Oncommand Api Services, Steelstore Cloud Integrated Storage and 9 more | 2024-08-05 | 9.8 Critical |
| A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code. | ||||
| CVE-2019-14887 | 1 Redhat | 8 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd and 5 more | 2024-08-05 | 9.1 Critical |
| A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. | ||||
| CVE-2019-14892 | 3 Apache, Fasterxml, Redhat | 13 Geode, Jackson-databind, Decision Manager and 10 more | 2024-08-05 | 9.8 Critical |
| A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. | ||||
| CVE-2019-14888 | 2 Netapp, Redhat | 10 Active Iq Unified Manager, Jboss Data Grid, Jboss Enterprise Application Platform and 7 more | 2024-08-05 | 7.5 High |
| A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. | ||||
| CVE-2019-14820 | 1 Redhat | 7 Jboss Enterprise Application Platform, Jboss Fuse, Jboss Single Sign On and 4 more | 2024-08-05 | 4.3 Medium |
| It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. | ||||
| CVE-2019-14838 | 1 Redhat | 10 Data Grid, Enterprise Linux, Jboss Data Grid and 7 more | 2024-08-05 | 4.9 Medium |
| A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server | ||||
| CVE-2019-14900 | 3 Hibernate, Quarkus, Redhat | 17 Hibernate Orm, Quarkus, Build Of Quarkus and 14 more | 2024-08-05 | 6.5 Medium |
| A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. | ||||
| CVE-2019-14843 | 1 Redhat | 5 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus, Jboss Single Sign On and 2 more | 2024-08-05 | 8.8 High |
| A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue. | ||||
| CVE-2019-14540 | 6 Debian, Fasterxml, Fedoraproject and 3 more | 28 Debian Linux, Jackson-databind, Fedora and 25 more | 2024-08-05 | 9.8 Critical |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig. | ||||
| CVE-2019-14379 | 7 Apple, Debian, Fasterxml and 4 more | 37 Xcode, Debian Linux, Jackson-databind and 34 more | 2024-08-05 | 9.8 Critical |
| SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution. | ||||
| CVE-2019-12814 | 3 Debian, Fasterxml, Redhat | 12 Debian Linux, Jackson-databind, Amq Streams and 9 more | 2024-08-04 | 5.9 Medium |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | ||||
| CVE-2019-12400 | 3 Apache, Oracle, Redhat | 6 Santuario Xml Security For Java, Weblogic Server, Jboss Enterprise Application Platform and 3 more | 2024-08-04 | 5.5 Medium |
| In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4. | ||||
| CVE-2019-12423 | 3 Apache, Oracle, Redhat | 14 Cxf, Commerce Guided Search, Communications Diameter Signaling Router and 11 more | 2024-08-04 | 7.5 High |
| Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all. | ||||
| CVE-2019-12384 | 3 Debian, Fasterxml, Redhat | 12 Debian Linux, Jackson-databind, Amq Streams and 9 more | 2024-08-04 | 5.9 Medium |
| FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. | ||||
| CVE-2019-12086 | 3 Debian, Fasterxml, Redhat | 12 Debian Linux, Jackson-databind, Amq Streams and 9 more | 2024-08-04 | 7.5 High |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. | ||||