Vulnerabilities > CVE-2020-1719 - Unspecified vulnerability in Redhat Wildfly
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected.
Vulnerable Configurations
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-2060.NASL description The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2060 advisory. - jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172) - cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) - cxf: reflected XSS in the services listing page (CVE-2019-17573) - undertow: Memory exhaustion issue in HttpReadListener via Expect: 100-continue header (CVE-2020-10705) - undertow: invalid HTTP request with large chunk size (CVE-2020-10719) - Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719) - SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729) - Soteria: security identity corruption across concurrent threads (CVE-2020-1732) - undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) - undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757) - cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-05-15 modified 2020-05-12 plugin id 136495 published 2020-05-12 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136495 title RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.8 on RHEL 8 (RHSA-2020:2060) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-2058.NASL description The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2058 advisory. - jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172) - cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) - cxf: reflected XSS in the services listing page (CVE-2019-17573) - undertow: Memory exhaustion issue in HttpReadListener via Expect: 100-continue header (CVE-2020-10705) - undertow: invalid HTTP request with large chunk size (CVE-2020-10719) - Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719) - SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729) - Soteria: security identity corruption across concurrent threads (CVE-2020-1732) - undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) - undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757) - cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-05-15 modified 2020-05-12 plugin id 136494 published 2020-05-12 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136494 title RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.2.8 on RHEL 6 (RHSA-2020:2058) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-2059.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2059 advisory. - jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172) - cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423) - cxf: reflected XSS in the services listing page (CVE-2019-17573) - undertow: Memory exhaustion issue in HttpReadListener via Expect: 100-continue header (CVE-2020-10705) - undertow: invalid HTTP request with large chunk size (CVE-2020-10719) - Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719) - SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729) - Soteria: security identity corruption across concurrent threads (CVE-2020-1732) - undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745) - undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757) - cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-05-15 modified 2020-05-12 plugin id 136498 published 2020-05-12 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136498 title RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.8 on RHEL 7 (RHSA-2020:2059)
Redhat
rpms |
|