Vulnerabilities > Redhat > Jboss Enterprise Application Platform > Medium

DATE CVE VULNERABILITY TITLE RISK
2018-07-26 CVE-2017-12167 Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform
It was found in EAP 7 before 7.0.9 that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system.
local
low complexity
redhat CWE-200
5.5
2018-05-21 CVE-2018-1067 HTTP Response Splitting vulnerability in Redhat Undertow
In Undertow before versions 7.1.2.CR1, 7.1.2.GA it was found that the fix for CVE-2016-4993 was incomplete and Undertow web server is vulnerable to the injection of arbitrary HTTP headers, and also response splitting, due to insufficient sanitization and validation of user input before the input is used as part of an HTTP header value.
network
low complexity
redhat CWE-113
6.1
2018-05-11 CVE-2016-8627 Resource Exhaustion vulnerability in Redhat Jboss Enterprise Application Platform and Keycloak
admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP feature to download server log files that allows logs to be available via GET requests making them vulnerable to cross-origin attacks.
network
low complexity
redhat CWE-400
6.5
2018-04-26 CVE-2018-10237 Allocation of Resources Without Limits or Throttling vulnerability in multiple products
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
network
high complexity
google redhat oracle CWE-770
5.9
2018-04-18 CVE-2017-12196 Incorrect Authorization vulnerability in Redhat products
undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line.
network
high complexity
redhat CWE-863
5.9
2018-03-09 CVE-2016-9585 Deserialization of Untrusted Data vulnerability in Redhat Jboss Enterprise Application Platform 5.0.0
Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it.
network
high complexity
redhat CWE-502
5.3
2018-02-28 CVE-2018-1304 The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition.
network
high complexity
apache redhat debian canonical oracle
5.9
2018-01-24 CVE-2018-1047 Unspecified vulnerability in Redhat products
A flaw was found in Wildfly 9.x.
local
low complexity
redhat
5.5
2017-09-19 CVE-2015-1849 Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform
AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.1 allows attackers to obtain sensitive information via vectors involving logging the LDAP bind credential password when TRACE logging is enabled.
network
high complexity
redhat CWE-200
5.9
2017-08-22 CVE-2016-6311 Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform 7.0
Get requests in JBoss Enterprise Application Platform (EAP) 7 disclose internal IP addresses to remote attackers.
network
low complexity
redhat CWE-200
5.3