Redhat Jboss Fuse vulnerabilities

CVE-2020-1757 [HIGH] CWE-20 CVE-2020-1757: A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.

CVE-2019-14887 [CRITICAL] CWE-757 CVE-2019-14887: A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' val A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed ov

CVE-2019-14892 [CRITICAL] CWE-200 CVE-2019-14892: A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

CVE-2019-14888 [HIGH] CWE-400 CVE-2019-14888: A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening o A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.

CVE-2019-14820 [MEDIUM] CWE-200 CVE-2019-14820: It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.c It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.

CVE-2019-10172 [HIGH] CVE-2019-10172: A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vul A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

CVE-2019-10212 [CRITICAL] CWE-532 CVE-2019-10212: A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. I A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.

CVE-2015-7559 [LOW] CWE-306 CVE-2015-7559: It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.

CVE-2016-8648 [HIGH] CWE-502 CVE-2016-8648: It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, de It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath.

CVE-2016-8653 [MEDIUM] CWE-502 CVE-2016-8653: It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the cred It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attacker could use this flaw to launch a denial of service attack.

CVE-2017-2589 [CRITICAL] CWE-285 CVE-2017-2589: It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests wi It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies.

CVE-2017-12196 [MEDIUM] CWE-287 CVE-2017-12196: undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Diges undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.

CVE-2014-0121 [CRITICAL] CWE-287 CVE-2014-0121: The admin terminal in Hawt.io does not require authentication, which allows remote attackers to exec The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter.

CVE-2014-0120 [HIGH] CWE-352 CVE-2014-0120: Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attac Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f."

CVE-2015-7501 [CRITICAL] CWE-502 CVE-2015-7501: Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualiza Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Ha

CVE-2014-8175 [MEDIUM] CWE-264 CVE-2014-8175: Red Hat JBoss Fuse before 6.2.0 allows remote authenticated users to bypass intended restrictions an Red Hat JBoss Fuse before 6.2.0 allows remote authenticated users to bypass intended restrictions and access the HawtIO console by leveraging an account defined in the users.properties file.

CVE-2013-7397 [MEDIUM] CWE-345 CVE-2013-7397: Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification u Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configura

CVE-2013-7398 [MEDIUM] CWE-345 CVE-2013-7398: main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-htt main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does not require a hostname match during verification of X.509 certificates, which allows man-in-the-middle attackers to spoof HTTPS servers via an arbitrary valid certificate.

CVE-2014-5075 [MEDIUM] CWE-310 CVE-2014-5075: The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is use The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-0085 [LOW] CWE-255 CVE-2014-0085: JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This perm JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allow