Vulnerabilities > Redhat > Jboss Enterprise Application Platform > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2014-08-19 | CVE-2014-3472 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform 6.3.0 The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors. | 4.9 |
| 2014-08-19 | CVE-2014-3464 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform 6.2.0/6.3.0 The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. | 5.5 |
| 2014-07-22 | CVE-2014-3518 | Code Injection vulnerability in Redhat products jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors. | 6.8 |
| 2014-07-07 | CVE-2014-3481 | Information Exposure vulnerability in Redhat Jboss Enterprise Application Platform org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary files via unspecified vectors, related to an XML External Entity (XXE) issue. | 5.0 |
| 2014-04-03 | CVE-2014-0093 | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform 6.2.2 Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2, when using a Java Security Manager (JSM), does not properly apply permissions defined by a policy file, which causes applications to be granted the java.security.AllPermission permission and allows remote attackers to bypass intended access restrictions. | 5.8 |
| 2014-02-10 | CVE-2011-4610 | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Redhat products JBoss Web, as used in Red Hat JBoss Communications Platform before 5.1.3, Enterprise Web Platform before 5.1.2, Enterprise Application Platform before 5.1.2, and other products, allows remote attackers to cause a denial of service (infinite loop) via vectors related to a crafted UTF-8 and a "surrogate pair character" that is "at the boundary of an internal buffer." | 5.0 |
| 2013-12-06 | CVE-2013-2133 | Permissions, Privileges, and Access Controls vulnerability in Redhat products The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. | 5.5 |
| 2013-10-28 | CVE-2012-4529 | Session ID Information Disclosure vulnerability in Redhat products The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log. network redhat | 4.3 |
| 2013-10-01 | CVE-2013-4210 | Remote Denial of Service vulnerability in Red Hat JBoss Remoting The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, and other products allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. | 5.0 |
| 2013-09-28 | CVE-2013-4112 | Information Exposure vulnerability in multiple products The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials. | 5.4 |