CVE-2020-14307

CWE-4045 documents5 sources

Severity

6.5MEDIUM

EPSS

0.3%

top 48.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Wildfly Redhat AMQ Redhat Jboss Fuse +1 more

Timeline

PublishedJul 24

Latest updateMay 24

Description

A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows an attacker to craft a denial of service attack to make the service unavailable.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5red_hat/wildflyjboss-ejb-client versions shipped with Red Hat JBoss EAP 7

▶NVDredhat/jboss_fuse6.0.0

▶NVDredhat/amq2.0

▶NVDredhat/single_sign-on7.0

🔴Vulnerability Details

GHSA

GHSA-q562-x7c7-5fc9: A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never r↗2022-05-24

▶

CVEList

CVE-2020-14307: A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never r↗2020-07-24

▶

📋Vendor Advisories

Red Hat

wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service↗2020-07-23

▶

💬Community

Bugzilla

CVE-2020-14307 wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service↗2020-06-26

▶