Vulnerabilities > Redhat > Jboss Enterprise Application Platform
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-08-10 | CVE-2016-5018 | In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. | 9.1 |
| 2017-07-13 | CVE-2017-9788 | Improper Input Validation vulnerability in multiple products In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or reset before or between successive key=value assignments by mod_auth_digest. | 9.1 |
| 2017-06-08 | CVE-2016-3690 | Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload. | 7.5 |
| 2017-05-19 | CVE-2017-7504 | Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data. | 7.5 |
| 2017-05-18 | CVE-2017-7503 | XXE vulnerability in Redhat Jboss Enterprise Application Platform 7.0.5 It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. | 7.5 |
| 2016-10-13 | CVE-2016-7065 | Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform 4.0.0/5.0.0 The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object. | 6.5 |
| 2016-10-03 | CVE-2016-7046 | Resource Management Errors vulnerability in Redhat Jboss Enterprise Application Platform 7.0 Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a denial of service (CPU and disk consumption) via a long URL. | 7.1 |
| 2016-09-27 | CVE-2016-4978 | Deserialization of Untrusted Data vulnerability in multiple products The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath. | 7.2 |
| 2016-09-26 | CVE-2016-5406 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The domain controller in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2 allows remote authenticated users to gain privileges by leveraging failure to propagate administrative RBAC configuration to all slaves. | 6.5 |
| 2016-09-26 | CVE-2016-4993 | CRLF Injection vulnerability in Redhat products CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | 4.3 |