Redhat Jboss Enterprise Application Platform vulnerabilities
241 known vulnerabilities affecting redhat/jboss_enterprise_application_platform.
Total CVEs
241
CISA KEV
6
actively exploited
Public exploits
18
Exploited in wild
8
Severity breakdown
CRITICAL36HIGH86MEDIUM102LOW17
Vulnerabilities
Page 9 of 13
CVE-2016-7046MEDIUMCVSS 5.9v7.02016-10-03
CVE-2016-7046 [MEDIUM] CWE-399 CVE-2016-7046: Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with defaul
Red Hat JBoss Enterprise Application Platform (EAP) 7, when operating as a reverse-proxy with default buffer sizes, allows remote attackers to cause a denial of service (CPU and disk consumption) via a long URL.
nvd
CVE-2016-4978HIGHCVSS 7.2v6.0.0v6.4.0+2 more2016-09-27
CVE-2016-4978 [HIGH] CWE-502 CVE-2016-4978: The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis br
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget cla
nvd
CVE-2016-3110HIGHCVSS 7.5v6.0.0v6.4.02016-09-26
CVE-2016-3110 [HIGH] CWE-20 CVE-2016-3110: mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote attackers to cause a denial of s
mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote attackers to cause a denial of service (Apache http server crash) via an MCMP message containing a series of = (equals) characters after a legitimate element.
nvd
CVE-2016-5406HIGHCVSS 8.8≤ 7.0.12016-09-26
CVE-2016-5406 [HIGH] CWE-264 CVE-2016-5406: The domain controller in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2 allows
The domain controller in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2 allows remote authenticated users to gain privileges by leveraging failure to propagate administrative RBAC configuration to all slaves.
nvd
CVE-2016-4993MEDIUMCVSS 6.1≤ 7.0.12016-09-26
CVE-2016-4993 [MEDIUM] CWE-93 CVE-2016-4993: CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss
CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
nvd
CVE-2016-2183HIGHCVSS 7.5PoCv6.0.02016-09-01
CVE-2016-2183 [HIGH] CWE-200 CVE-2016-2183: The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DE
nvd
CVE-2016-2141CRITICALCVSS 9.8v5.2v6.4+1 more2016-06-30
CVE-2016-2141 [CRITICAL] CVE-2016-2141: It was found that JGroups did not require necessary headers for encrypt and auth protocols from new
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
nvd
CVE-2015-5304LOWCVSS 3.5≤ 6.4.42015-12-16
CVE-2015-5304 [LOW] CWE-264 CVE-2015-5304: Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does not properly authorize access
Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does not properly authorize access to shut down the server, which allows remote authenticated users with the Monitor, Deployer, or Auditor role to cause a denial of service via unspecified vectors.
nvd
CVE-2015-5178MEDIUMCVSS 4.3≤ 6.4.32015-10-27
CVE-2015-5178 [MEDIUM] CWE-254 CVE-2015-5178: The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly
The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.
nvd
CVE-2015-5188MEDIUMCVSS 6.8≤ 6.4.32015-10-27
CVE-2015-5188 [MEDIUM] CWE-352 CVE-2015-5188: Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterpri
Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before 2.0.0.CR9 allows remote attackers to hijack the authentication of administrators for requests that make arbitrary changes to an instance via vectors involving a
nvd
CVE-2015-5220MEDIUMCVSS 5.0≤ 6.4.32015-10-27
CVE-2015-5220 [MEDIUM] CWE-119 CVE-2015-5220: The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 and WildFly (formerly
The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 and WildFly (formerly JBoss Application Server) allows remote attackers to cause a denial of service (memory consumption) via a large request header.
nvd
CVE-2014-3586LOWCVSS 2.1≤ 6.3.32015-04-21
CVE-2014-3586 [LOW] CWE-264 CVE-2014-3586: The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform
The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified vectors.
nvd
CVE-2014-0005LOWCVSS 3.6v6.2.22015-02-20
CVE-2014-0005 [LOW] CWE-264 CVE-2014-0005: PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 and JB
PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the application sever configuration and state by deploying a crafted application.
nvd
CVE-2014-7849MEDIUMCVSS 4.0v6.2.0v6.2.1+6 more2015-02-13
CVE-2014-7849 [MEDIUM] CWE-264 CVE-2014-7849: The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6
The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role.
nvd
CVE-2014-7853MEDIUMCVSS 4.0≤ 6.3.22015-02-13
CVE-2014-7853 [MEDIUM] CWE-200 CVE-2014-7853: The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Plat
The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribut
nvd
CVE-2014-7827LOWCVSS 3.5≤ 6.3.22015-02-13
CVE-2014-7827 [LOW] CWE-264 CVE-2014-7827: The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red H
The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain
nvd
CVE-2014-0059LOWCVSS 2.1≤ 6.2.22014-11-17
CVE-2014-0059 [LOW] CWE-200 CVE-2014-0059: JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3,
JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file.
nvd
CVE-2014-3490HIGHCVSS 7.5v6.3.02014-08-19
CVE-2014-3490 [HIGH] CVE-2014-3490: RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Applicatio
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to a
nvd
CVE-2014-3472MEDIUMCVSS 4.9v6.3.02014-08-19
CVE-2014-3472 [MEDIUM] CWE-264 CVE-2014-3472: The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.
nvd
CVE-2014-3464MEDIUMCVSS 5.5v6.2.0v6.3.02014-08-19
CVE-2014-3464 [MEDIUM] CVE-2014-3464: The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Applicatio
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulner
nvd