Vulnerabilities > Redhat > Jboss Enterprise Application Platform > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-01-10 | CVE-2017-7536 | Unsafe Reflection vulnerability in Redhat products In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. | 7.0 |
| 2017-11-13 | CVE-2016-8610 | Resource Exhaustion vulnerability in multiple products A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. | 7.5 |
| 2017-10-04 | CVE-2017-12149 | Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data. | 7.5 |
| 2017-08-11 | CVE-2016-6796 | A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. | 7.5 |
| 2017-06-08 | CVE-2016-3690 | Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload. | 7.5 |
| 2017-05-19 | CVE-2017-7504 | Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data. | 7.5 |
| 2017-05-18 | CVE-2017-7503 | XXE vulnerability in Redhat Jboss Enterprise Application Platform 7.0.5 It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax.xml.transform.TransformerFactory is vulnerable to XXE. | 7.5 |
| 2016-10-03 | CVE-2016-7046 | Resource Management Errors vulnerability in Redhat Jboss Enterprise Application Platform 7.0 Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a denial of service (CPU and disk consumption) via a long URL. | 7.1 |
| 2016-09-27 | CVE-2016-4978 | Deserialization of Untrusted Data vulnerability in multiple products The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath. | 7.2 |
| 2016-09-26 | CVE-2016-3110 | Improper Input Validation vulnerability in multiple products mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote attackers to cause a denial of service (Apache http server crash) via an MCMP message containing a series of = (equals) characters after a legitimate element. | 7.5 |