Vulnerabilities > Redhat > Jboss Enterprise Application Platform > 6.1.0
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2015-02-13 | CVE-2014-7853 | Information Exposure vulnerability in Redhat products The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute. | 4.0 |
2015-02-13 | CVE-2014-7827 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain. | 3.5 |
2014-11-17 | CVE-2014-0059 | Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file. | 2.1 |
2014-07-07 | CVE-2014-3481 | Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary files via unspecified vectors, related to an XML External Entity (XXE) issue. | 5.0 |
2014-02-26 | CVE-2014-0058 | Cryptographic Issues vulnerability in Redhat Jboss Enterprise Application Platform The security audit functionality in Red Hat JBoss Enterprise Application Platform (EAP) 6.x before 6.2.1 logs request parameters in plaintext, which might allow local users to obtain passwords by reading the log files. | 1.9 |
2013-12-06 | CVE-2013-2133 | Permissions, Privileges, and Access Controls vulnerability in Redhat products The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. | 5.5 |
2013-09-28 | CVE-2013-4112 | Information Exposure vulnerability in multiple products The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials. | 5.4 |
2013-09-28 | CVE-2013-1921 | Cryptographic Issues vulnerability in Redhat Jboss Enterprise Application Platform PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. | 1.9 |
2013-08-16 | CVE-2013-4213 | Improper Access Control vulnerability in Redhat Jboss Enterprise Application Platform 6.1.0 Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client. | 6.4 |
2013-08-16 | CVE-2013-4128 | Configuration vulnerability in Redhat Jboss Enterprise Application Platform 6.1.0 Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by remote-naming, which allows remote attackers to hijack sessions by using a remoting client. | 6.4 |