Vulnerabilities (CVE)

Filtered by vendor Redhat Subscribe
Filtered by product Decision Manager
Total 14 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-14900 3 Hibernate, Quarkus, Redhat 11 Hibernate Orm, Quarkus, Build Of Quarkus and 8 more 2022-04-29 4.0 MEDIUM 6.5 MEDIUM
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CVE-2020-1748 1 Redhat 3 Decision Manager, Process Automation, Wildfly Elytron 2022-04-28 5.0 MEDIUM 7.5 HIGH
A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.
CVE-2019-14862 2 Knockoutjs, Redhat 3 Knockout, Decision Manager, Process Automation 2022-04-20 4.3 MEDIUM 6.1 MEDIUM
There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
CVE-2019-14886 1 Redhat 2 Decision Manager, Process Automation Manager 2021-10-29 4.0 MEDIUM 6.5 MEDIUM
A vulnerability was found in business-central, as shipped in rhdm-7.5.1 and rhpam-7.5.1, where encoded passwords are stored in errai_security_context. The encoding used for storing the passwords is Base64, not an encryption algorithm, and any recovery of these passwords could lead to user passwords being exposed.
CVE-2020-1714 2 Quarkus, Redhat 7 Quarkus, Decision Manager, Jboss Fuse and 4 more 2021-10-19 6.5 MEDIUM 8.8 HIGH
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
CVE-2018-12022 5 Debian, Fasterxml, Fedoraproject and 2 more 11 Debian Linux, Jackson-databind, Fedora and 8 more 2020-10-20 5.1 MEDIUM 7.5 HIGH
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2018-12023 5 Debian, Fasterxml, Fedoraproject and 2 more 11 Debian Linux, Jackson-databind, Fedora and 8 more 2020-10-20 5.1 MEDIUM 7.5 HIGH
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2019-14892 2 Fasterxml, Redhat 7 Jackson-databind, Decision Manager, Jboss Data Grid and 4 more 2020-09-04 7.5 HIGH 9.8 CRITICAL
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CVE-2018-19360 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Business Process Management Suite and 9 more 2020-08-31 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
CVE-2018-19362 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Business Process Management Suite and 9 more 2020-08-31 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
CVE-2018-19361 4 Debian, Fasterxml, Oracle and 1 more 12 Debian Linux, Jackson-databind, Business Process Management Suite and 9 more 2020-08-31 7.5 HIGH 9.8 CRITICAL
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
CVE-2020-1720 2 Postgresql, Redhat 4 Postgresql, Decision Manager, Enterprise Linux and 1 more 2020-08-17 3.5 LOW 6.5 MEDIUM
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.
CVE-2019-14863 2 Angularjs, Redhat 3 Angular.js, Decision Manager, Process Automation 2020-01-09 4.3 MEDIUM 6.1 MEDIUM
There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.
CVE-2017-7545 1 Redhat 3 Decision Manager, Jboss Bpm Suite, Jbpm 2019-10-09 4.0 MEDIUM 6.5 MEDIUM
It was discovered that the XmlUtils class in jbpmmigration 6.5 performed expansion of external parameter entities while parsing XML files. A remote attacker could use this flaw to read files accessible to the user running the application server and, potentially, perform other more advanced XML eXternal Entity (XXE) attacks.