Filtered by vendor Redhat
Subscriptions
Filtered by product Jboss Enterprise Application Platform
Subscriptions
Total
543 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2015-0293 | 2 Openssl, Redhat | 8 Openssl, Enterprise Linux, Jboss Enterprise Application Platform and 5 more | 2024-11-21 | N/A |
| The SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message. | ||||
| CVE-2015-0277 | 2 Picketlink, Redhat | 2 Picketlink, Jboss Enterprise Application Platform | 2024-11-21 | N/A |
| The Service Provider (SP) in PicketLink before 2.7.0 does not ensure that it is a member of an Audience element when an AudienceRestriction is specified, which allows remote attackers to log in to other users' accounts via a crafted SAML assertion. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6254 for lack of validation for the Destination attribute in a Response element in a SAML assertion. | ||||
| CVE-2015-0254 | 3 Apache, Canonical, Redhat | 5 Standard Taglibs, Ubuntu Linux, Enterprise Linux and 2 more | 2024-11-21 | N/A |
| Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. | ||||
| CVE-2015-0227 | 2 Apache, Redhat | 6 Wss4j, Jboss Amq, Jboss Data Grid and 3 more | 2024-11-21 | N/A |
| Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks." | ||||
| CVE-2015-0226 | 2 Apache, Redhat | 7 Wss4j, Jboss Amq, Jboss Data Grid and 4 more | 2024-11-21 | N/A |
| Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487. | ||||
| CVE-2015-0204 | 2 Openssl, Redhat | 4 Openssl, Enterprise Linux, Jboss Enterprise Application Platform and 1 more | 2024-11-21 | N/A |
| The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations. | ||||
| CVE-2014-9970 | 2 Jasypt Project, Redhat | 8 Jasypt, Enterprise Linux, Jboss Bpms and 5 more | 2024-11-21 | N/A |
| jasypt before 1.9.2 allows a timing attack against the password hash comparison. | ||||
| CVE-2014-8122 | 1 Redhat | 7 Jboss Bpms, Jboss Brms, Jboss Data Grid and 4 more | 2024-11-21 | N/A |
| Race condition in JBoss Weld before 2.2.8 and 3.x before 3.0.0 Alpha3 allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state. | ||||
| CVE-2014-8111 | 2 Apache, Redhat | 3 Tomcat Connectors, Jboss Enterprise Application Platform, Jboss Enterprise Web Server | 2024-11-21 | N/A |
| Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors. | ||||
| CVE-2014-7853 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jboss Operations Network | 2024-11-21 | N/A |
| The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute. | ||||
| CVE-2014-7849 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jboss Operations Network | 2024-11-21 | N/A |
| The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role. | ||||
| CVE-2014-7839 | 1 Redhat | 7 Jboss Bpms, Jboss Brms, Jboss Data Grid and 4 more | 2024-11-21 | N/A |
| DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors. | ||||
| CVE-2014-7827 | 1 Redhat | 3 Jboss Bpms, Jboss Brms, Jboss Enterprise Application Platform | 2024-11-21 | N/A |
| The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain. | ||||
| CVE-2014-3623 | 2 Apache, Redhat | 8 Cxf, Wss4j, Jboss Amq and 5 more | 2024-11-21 | N/A |
| Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors. | ||||
| CVE-2014-3586 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform | 2024-11-21 | N/A |
| The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified vectors. | ||||
| CVE-2014-3577 | 2 Apache, Redhat | 18 Httpasyncclient, Httpclient, Enterprise Linux and 15 more | 2024-11-21 | N/A |
| org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field. | ||||
| CVE-2014-3570 | 2 Openssl, Redhat | 4 Openssl, Enterprise Linux, Jboss Enterprise Application Platform and 1 more | 2024-11-21 | N/A |
| The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c. | ||||
| CVE-2014-3566 | 11 Apple, Debian, Fedoraproject and 8 more | 28 Mac Os X, Debian Linux, Fedora and 25 more | 2024-11-21 | 3.4 Low |
| The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. | ||||
| CVE-2014-3558 | 1 Redhat | 6 Hibernate Validator, Jboss Bpms, Jboss Brms and 3 more | 2024-11-21 | N/A |
| ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application. | ||||
| CVE-2014-3530 | 1 Redhat | 10 Jboss Bpms, Jboss Brms, Jboss Data Grid and 7 more | 2024-11-21 | N/A |
| The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. | ||||