Vulnerabilities > Redhat > Jboss Enterprise Application Platform
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-02-02 | CVE-2012-3427 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform 5.1.2 EC2 Amazon Machine Image (AMI) in JBoss Enterprise Application Platform (EAP) 5.1.2 uses 755 permissions for /var/cache/jboss-ec2-eap/, which allows local users to read sensitive information such as Amazon Web Services (AWS) credentials by reading files in the directory. | 2.1 |
| 2013-12-06 | CVE-2013-2133 | Permissions, Privileges, and Access Controls vulnerability in Redhat products The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. | 5.5 |
| 2013-10-28 | CVE-2012-4572 | Permissions, Privileges, and Access Controls vulnerability in Redhat products Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control certain applications' authorization decisions via a crafted application. | 3.7 |
| 2013-10-28 | CVE-2012-4529 | Session ID Information Disclosure vulnerability in Redhat products The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log. network redhat | 4.3 |
| 2013-10-01 | CVE-2013-4210 | Remote Denial of Service vulnerability in Red Hat JBoss Remoting The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, and other products allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. | 5.0 |
| 2013-09-28 | CVE-2013-4112 | Information Exposure vulnerability in multiple products The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials. | 5.4 |
| 2013-09-28 | CVE-2013-1921 | Cryptographic Issues vulnerability in Redhat Jboss Enterprise Application Platform PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. | 1.9 |
| 2013-08-16 | CVE-2013-4213 | Improper Access Control vulnerability in Redhat Jboss Enterprise Application Platform 6.1.0 Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client. | 6.4 |
| 2013-08-16 | CVE-2013-4128 | Configuration vulnerability in Redhat Jboss Enterprise Application Platform 6.1.0 Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by remote-naming, which allows remote attackers to hijack sessions by using a remoting client. | 6.4 |
| 2013-07-29 | CVE-2011-1483 | wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564. | 5.0 |