Vulnerabilities > Redhat > Jboss Enterprise Application Platform > 4.0.0
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2015-04-21 | CVE-2014-3586 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified vectors. | 2.1 |
2015-02-13 | CVE-2014-7853 | Information Exposure vulnerability in Redhat products The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute. | 4.0 |
2015-02-13 | CVE-2014-7827 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain. | 3.5 |
2014-11-17 | CVE-2014-0059 | Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file. | 2.1 |
2014-07-07 | CVE-2014-3481 | Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary files via unspecified vectors, related to an XML External Entity (XXE) issue. | 5.0 |
2014-02-10 | CVE-2011-4610 | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Redhat products JBoss Web, as used in Red Hat JBoss Communications Platform before 5.1.3, Enterprise Web Platform before 5.1.2, Enterprise Application Platform before 5.1.2, and other products, allows remote attackers to cause a denial of service (infinite loop) via vectors related to a crafted UTF-8 and a "surrogate pair character" that is "at the boundary of an internal buffer." | 5.0 |
2013-12-06 | CVE-2013-2133 | Permissions, Privileges, and Access Controls vulnerability in Redhat products The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. | 5.5 |
2013-10-28 | CVE-2012-4572 | Permissions, Privileges, and Access Controls vulnerability in Redhat products Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control certain applications' authorization decisions via a crafted application. | 3.7 |
2013-09-28 | CVE-2013-1921 | Cryptographic Issues vulnerability in Redhat Jboss Enterprise Application Platform PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. | 1.9 |
2013-01-05 | CVE-2012-4549 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. | 5.8 |