Vulnerabilities > Redhat > Jboss Enterprise Application Platform > Low

DATE CVE VULNERABILITY TITLE RISK
2021-08-05 CVE-2021-3642 Information Exposure Through Discrepancy vulnerability in multiple products
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled.
3.5
2021-05-20 CVE-2021-3536 Cross-site Scripting vulnerability in Redhat products
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS.
network
redhat CWE-79
3.5
2019-06-12 CVE-2019-3872 Cross-site Scripting vulnerability in Redhat products
It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x.
network
redhat CWE-79
3.5
2019-03-27 CVE-2018-10934 Cross-site Scripting vulnerability in Redhat products
A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA.
network
redhat CWE-79
3.5
2018-07-26 CVE-2017-12167 Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform
It was found in EAP 7 before 7.0.9 that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system.
local
low complexity
redhat CWE-200
2.1
2018-03-09 CVE-2016-9585 Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform 5.0.0
Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it.
network
high complexity
redhat CWE-502
2.6
2015-12-16 CVE-2015-5304 Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform
Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does not properly authorize access to shut down the server, which allows remote authenticated users with the Monitor, Deployer, or Auditor role to cause a denial of service via unspecified vectors.
network
redhat CWE-264
3.5
2015-04-21 CVE-2014-3586 Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform
The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified vectors.
local
low complexity
redhat CWE-264
2.1
2015-02-20 CVE-2014-0005 Permissions, Privileges, and Access Controls vulnerability in Redhat products
PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the application sever configuration and state by deploying a crafted application.
local
low complexity
redhat CWE-264
3.6
2015-02-13 CVE-2014-7827 Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform
The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.
network
redhat CWE-264
3.5