Vulnerabilities > Redhat > Jboss Enterprise Application Platform
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-09-26 | CVE-2016-3110 | Improper Input Validation vulnerability in multiple products mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote attackers to cause a denial of service (Apache http server crash) via an MCMP message containing a series of = (equals) characters after a legitimate element. | 7.5 |
| 2016-09-01 | CVE-2016-2183 | Information Exposure vulnerability in multiple products The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. | 7.5 |
| 2016-06-30 | CVE-2016-2141 | Unspecified vulnerability in Redhat Jboss Enterprise Application Platform and Jgroups It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. | 9.8 |
| 2015-12-16 | CVE-2015-5304 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does not properly authorize access to shut down the server, which allows remote authenticated users with the Monitor, Deployer, or Auditor role to cause a denial of service via unspecified vectors. | 3.5 |
| 2015-04-21 | CVE-2014-3586 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified vectors. | 2.1 |
| 2015-02-20 | CVE-2014-0005 | Permissions, Privileges, and Access Controls vulnerability in Redhat products PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the application sever configuration and state by deploying a crafted application. | 3.6 |
| 2015-02-13 | CVE-2014-7853 | Information Exposure vulnerability in Redhat products The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute. | 4.0 |
| 2015-02-13 | CVE-2014-7849 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role. | 4.0 |
| 2015-02-13 | CVE-2014-7827 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain. | 3.5 |
| 2014-11-17 | CVE-2014-0059 | Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file. | 2.1 |