Vulnerabilities > Redhat > Jboss Enterprise Application Platform > High

DATE CVE VULNERABILITY TITLE RISK
2018-07-27 CVE-2017-12165 HTTP Request Smuggling vulnerability in Redhat Undertow
It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.
network
low complexity
redhat CWE-444
7.5
2018-07-02 CVE-2018-8039 Improper Handling of Exceptional Conditions vulnerability in multiple products
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'.
network
high complexity
apache redhat CWE-755
8.1
2018-06-05 CVE-2018-1000180 Use of a Broken or Risky Cryptographic Algorithm vulnerability in multiple products
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected.
network
low complexity
bouncycastle debian oracle netapp redhat CWE-327
7.5
2018-05-22 CVE-2016-8656 Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform
Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.
local
low complexity
redhat CWE-264
7.8
2018-03-07 CVE-2017-12174 It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message.
network
low complexity
apache redhat
7.5
2018-02-15 CVE-2018-1041 Infinite Loop vulnerability in multiple products
A vulnerability was found in the way RemoteMessageChannel, introduced in jboss-remoting versions 3.3.10, reads from an empty buffer.
network
low complexity
jboss redhat CWE-835
7.5
2018-01-24 CVE-2018-1048 Improper Encoding or Escaping of Output vulnerability in Redhat Jboss Enterprise Application Platform 7.1.0
It was found that the AJP connector in undertow, as shipped in Jboss EAP 7.1.0.GA, does not use the ALLOW_ENCODED_SLASH option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files.
network
low complexity
redhat CWE-116
7.5
2018-01-22 CVE-2018-5968 Deserialization of Untrusted Data vulnerability in multiple products
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws.
network
high complexity
fasterxml debian redhat netapp CWE-502
8.1
2018-01-10 CVE-2017-12189 Unspecified vulnerability in Redhat products
It was discovered that the jboss init script as used in Red Hat JBoss Enterprise Application Platform 7.0.7.GA performed unsafe file handling which could result in local privilege escalation.
local
low complexity
redhat
7.8
2018-01-10 CVE-2017-7536 Unsafe Reflection vulnerability in Redhat products
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur.
local
high complexity
redhat CWE-470
7.0