Vulnerabilities > Redhat > Jboss Enterprise Application Platform

DATE CVE VULNERABILITY TITLE RISK
2017-08-10 CVE-2016-5018 In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
network
low complexity
apache netapp canonical debian redhat oracle
critical
9.1
2017-07-13 CVE-2017-9788 Improper Input Validation vulnerability in multiple products
In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest.
network
low complexity
apache debian apple netapp redhat oracle CWE-20
critical
9.1
2017-06-08 CVE-2016-3690 Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform
The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.
network
low complexity
redhat CWE-502
critical
9.8
2017-05-19 CVE-2017-7504 Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data.
network
low complexity
redhat CWE-502
critical
9.8
2017-05-18 CVE-2017-7503 XXE vulnerability in Redhat Jboss Enterprise Application Platform 7.0.5
It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE.
network
low complexity
redhat CWE-611
critical
9.8
2016-10-13 CVE-2016-7065 Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform 4.0.0/5.0.0
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.
network
low complexity
redhat CWE-502
8.8
2016-10-03 CVE-2016-7046 Resource Management Errors vulnerability in Redhat Jboss Enterprise Application Platform 7.0
Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a denial of service (CPU and disk consumption) via a long URL.
network
high complexity
redhat CWE-399
5.9
2016-09-27 CVE-2016-4978 Deserialization of Untrusted Data vulnerability in multiple products
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath.
network
low complexity
apache redhat CWE-502
7.2
2016-09-26 CVE-2016-5406 Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform
The domain controller in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2 allows remote authenticated users to gain privileges by leveraging failure to propagate administrative RBAC configuration to all slaves.
network
low complexity
redhat CWE-264
8.8
2016-09-26 CVE-2016-4993 HTTP Response Splitting vulnerability in Redhat Jboss Enterprise Application Platform
CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
network
low complexity
redhat CWE-113
6.1