7.0.0 * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*

CVSS Scores Greater Than: 0 1 2 3 4 5 6 7 8 9

Sort Results By : CVE Number Descending CVE Number Ascending CVSS Score Descending Number Of Exploits Descending

#	CVE ID	CWE ID	Vulnerability Type(s)	Publish Date	Update Date	Score	Gained Access Level	Access	Complexity	Authentication	Conf.	Integ.	Avail.
1	CVE-2022-0853	401	+Info	2022-03-11	2022-03-18	5.0	None	Remote	Low	Not required	None	None	Partial
A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability.
2	CVE-2021-32029	200	+Info	2021-10-08	2021-12-03	4.0	None	Remote	Low	???	Partial	None	None
A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.
3	CVE-2021-32027	119	Overflow	2021-06-01	2021-09-14	6.5	None	Remote	Low	???	Partial	Partial	Partial
A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
4	CVE-2021-20324	384		2022-04-18	2022-04-26	5.8	None	Remote	Medium	Not required	Partial	Partial	None
A flaw was found in WildFly Elytron. A variation to the use of a session fixation exploit when using Undertow was found despite Undertow switching the session ID after authentication.
5	CVE-2021-3642	203		2021-08-05	2021-10-20	3.5	None	Remote	Medium	???	Partial	None	None
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.
6	CVE-2020-25689	401	DoS	2020-11-02	2021-10-19	6.8	None	Remote	Low	???	None	None	Complete
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
7	CVE-2020-25644	401	DoS	2020-10-06	2021-10-19	5.0	None	Remote	Low	Not required	None	None	Partial
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.
8	CVE-2020-1757	20	Bypass	2020-04-21	2020-04-30	5.5	None	Remote	Low	???	Partial	Partial	None
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
9	CVE-2020-1732	20		2020-05-04	2020-05-08	4.9	None	Remote	Medium	???	Partial	Partial	None
A flaw was found in Soteria before 1.0.1, in a way that multiple requests occurring concurrently causing security identity corruption across concurrent threads when using EE Security with WildFly Elytron which can lead to the possibility of being handled using the identity from another request.
10	CVE-2020-1710			2020-09-16	2020-09-22	5.0	None	Remote	Low	Not required	None	Partial	None
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
11	CVE-2019-14888		DoS	2020-01-23	2022-04-01	5.0	None	Remote	Low	Not required	None	None	Partial
A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.
12	CVE-2019-14887			2020-03-16	2021-11-02	6.4	None	Remote	Low	Not required	Partial	Partial	None
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
13	CVE-2019-10184	862	+Info	2019-07-25	2022-02-20	5.0	None	Remote	Low	Not required	Partial	None	None
undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.
14	CVE-2019-3894			2019-05-03	2020-10-15	6.5	None	Remote	Low	???	Partial	Partial	Partial
It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing.
15	CVE-2019-3805	269		2019-05-03	2020-10-16	4.7	None	Local	Medium	Not required	None	None	Complete
A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.
16	CVE-2017-12196	863		2018-04-18	2019-10-09	4.3	None	Remote	Medium	Not required	Partial	None	None
undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server.
17	CVE-2017-12165	444		2018-07-27	2019-10-09	5.0	None	Remote	Low	Not required	None	Partial	None
It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling.
18	CVE-2017-7465	94	Exec Code	2018-06-27	2019-10-09	7.5	None	Remote	Low	Not required	Partial	Partial	Partial
It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a 'javax.xml.transform.TransformerFactory'. If the FEATURE_SECURE_PROCESSING feature is set to 'true', it mitigates this vulnerability.
19	CVE-2016-8656	264		2018-05-22	2019-10-09	4.6	None	Local	Low	Not required	Partial	Partial	Partial
Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.
20	CVE-2016-8627	400		2018-05-11	2019-10-09	4.3	None	Remote	Medium	Not required	None	None	Partial
admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP feature to download server log files that allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files consuming enough resources that normal server functioning could be impaired.

Total number of vulnerabilities : 20 Page : 1 (This Page)