Filtered by vendor Redhat
Subscriptions
Filtered by product Jboss Fuse
Subscriptions
Total
557 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-1271 | 3 Oracle, Redhat, Vmware | 30 Application Testing Suite, Big Data Discovery, Communications Converged Application Server and 27 more | 2024-09-16 | 5.9 Medium |
| Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack. | ||||
| CVE-2017-3156 | 2 Apache, Redhat | 3 Cxf, Jboss Amq, Jboss Fuse | 2024-09-16 | N/A |
| The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3.0.13 and 3.1.x prior to 3.1.10 is not using a constant time MAC signature comparison algorithm which may be exploited by sophisticated timing attacks. | ||||
| CVE-2020-5410 | 2 Redhat, Vmware | 2 Jboss Fuse, Spring Cloud Config | 2024-09-16 | 7.5 High |
| Spring Cloud Config, versions 2.2.x prior to 2.2.3, versions 2.1.x prior to 2.1.9, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. | ||||
| CVE-2017-15095 | 5 Debian, Fasterxml, Netapp and 2 more | 31 Debian Linux, Jackson-databind, Oncommand Balance and 28 more | 2024-09-16 | 9.8 Critical |
| A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. | ||||
| CVE-2018-1257 | 3 Oracle, Redhat, Vmware | 32 Agile Product Lifecycle Management, Application Testing Suite, Big Data Discovery and 29 more | 2024-09-16 | 6.5 Medium |
| Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack. | ||||
| CVE-2016-8739 | 2 Apache, Redhat | 3 Cxf, Jboss Amq, Jboss Fuse | 2024-09-16 | N/A |
| The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk. | ||||
| CVE-2017-12633 | 2 Apache, Redhat | 3 Camel, Jboss Amq, Jboss Fuse | 2024-09-16 | N/A |
| The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws. | ||||
| CVE-2018-11771 | 3 Apache, Oracle, Redhat | 3 Commons Compress, Weblogic Server, Jboss Fuse | 2024-09-16 | 5.5 Medium |
| When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package. | ||||
| CVE-2022-25857 | 3 Debian, Redhat, Snakeyaml Project | 17 Debian Linux, Amq Broker, Amq Clients and 14 more | 2024-09-16 | 7.5 High |
| The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections. | ||||
| CVE-2019-3774 | 2 Pivotal Software, Redhat | 2 Spring Batch, Jboss Fuse | 2024-09-16 | N/A |
| Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources. | ||||
| CVE-2016-6814 | 2 Apache, Redhat | 7 Groovy, Enterprise Linux, Enterprise Linux Server and 4 more | 2024-09-16 | N/A |
| When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability. | ||||
| CVE-2016-5397 | 2 Apache, Redhat | 3 Thrift, Jboss Data Virtualization, Jboss Fuse | 2024-09-16 | N/A |
| The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0. | ||||
| CVE-2020-28491 | 4 Fasterxml, Oracle, Quarkus and 1 more | 11 Jackson-dataformats-binary, Weblogic Server, Quarkus and 8 more | 2024-09-16 | 7.5 High |
| This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception. | ||||
| CVE-2017-7559 | 1 Redhat | 4 Jboss Amq, Jboss Enterprise Application Platform, Jboss Fuse and 1 more | 2024-09-16 | N/A |
| In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. | ||||
| CVE-2019-11272 | 3 Debian, Redhat, Vmware | 3 Debian Linux, Jboss Fuse, Spring Security | 2024-09-16 | 7.3 High |
| Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null". | ||||
| CVE-2018-1336 | 4 Apache, Canonical, Debian and 1 more | 12 Tomcat, Ubuntu Linux, Debian Linux and 9 more | 2024-09-16 | 7.5 High |
| An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. | ||||
| CVE-2018-8034 | 5 Apache, Canonical, Debian and 2 more | 8 Tomcat, Ubuntu Linux, Debian Linux and 5 more | 2024-09-16 | N/A |
| The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. | ||||
| CVE-2017-15089 | 2 Infinispan, Redhat | 6 Infinispan, Jboss Data Grid, Jboss Enterprise Application Platform and 3 more | 2024-09-16 | N/A |
| It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. | ||||
| CVE-2018-1270 | 4 Debian, Oracle, Redhat and 1 more | 29 Debian Linux, Application Testing Suite, Big Data Discovery and 26 more | 2024-09-16 | 9.8 Critical |
| Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. | ||||
| CVE-2017-12626 | 2 Apache, Redhat | 3 Poi, Jboss Amq, Jboss Fuse | 2024-09-16 | N/A |
| Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295). | ||||