Vulnerabilities (CVE)

Filtered by vendor Redhat Subscribe
Filtered by product Jboss Data Grid
Total 19 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-14340 2 Oracle, Redhat 14 Communications Cloud Native Core Console, Communications Cloud Native Core Network Repository Function, Communications Cloud Native Core Policy and 11 more 2022-05-12 4.3 MEDIUM 5.9 MEDIUM
A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final.
CVE-2019-14900 3 Hibernate, Quarkus, Redhat 11 Hibernate Orm, Quarkus, Build Of Quarkus and 8 more 2022-04-29 4.0 MEDIUM 6.5 MEDIUM
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CVE-2021-4104 4 Apache, Fedoraproject, Oracle and 1 more 23 Log4j, Fedora, Retail Allocation and 20 more 2022-04-20 6.0 MEDIUM 7.5 HIGH
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
CVE-2019-14888 2 Netapp, Redhat 6 Active Iq Unified Manager, Jboss Data Grid, Jboss Enterprise Application Platform and 3 more 2022-04-01 5.0 MEDIUM 7.5 HIGH
A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL.
CVE-2019-10174 3 Infinispan, Netapp, Redhat 8 Infinispan, Active Iq Unified Manager, Enterprise Linux and 5 more 2022-02-20 6.5 MEDIUM 8.8 HIGH
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
CVE-2019-10219 3 Netapp, Oracle, Redhat 193 Active Iq Unified Manager, Element, Management Services For Element Software And Netapp Hci and 190 more 2022-02-20 4.3 MEDIUM 6.1 MEDIUM
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CVE-2019-10212 2 Netapp, Redhat 8 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 5 more 2022-02-20 4.3 MEDIUM 9.8 CRITICAL
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.
CVE-2019-3888 2 Netapp, Redhat 7 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 4 more 2022-02-20 5.0 MEDIUM 9.8 CRITICAL
A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)
CVE-2019-10184 2 Netapp, Redhat 7 Active Iq Unified Manager, Enterprise Linux, Jboss Data Grid and 4 more 2022-02-20 5.0 MEDIUM 7.5 HIGH
undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api.
CVE-2019-14887 1 Redhat 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Fuse and 3 more 2021-11-02 6.4 MEDIUM 9.1 CRITICAL
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
CVE-2020-25644 2 Netapp, Redhat 10 Oncommand Insight, Oncommand Workflow Automation, Service Level Manager and 7 more 2021-10-19 5.0 MEDIUM 7.5 HIGH
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-25689 2 Netapp, Redhat 10 Active Iq Unified Manager, Oncommand Insight, Service Level Manager and 7 more 2021-10-19 6.8 MEDIUM 6.5 MEDIUM
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2016-4970 3 Apache, Netty, Redhat 4 Cassandra, Netty, Jboss Data Grid and 1 more 2021-02-14 7.8 HIGH 7.5 HIGH
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
CVE-2020-1710 1 Redhat 4 Jboss Data Grid, Jboss Enterprise Application Platform, Openshift Application Runtimes and 1 more 2020-09-22 5.0 MEDIUM 5.3 MEDIUM
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
CVE-2019-14892 2 Fasterxml, Redhat 7 Jackson-databind, Decision Manager, Jboss Data Grid and 4 more 2020-09-04 7.5 HIGH 9.8 CRITICAL
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
CVE-2020-1757 1 Redhat 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Fuse and 3 more 2020-04-30 5.5 MEDIUM 8.1 HIGH
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
CVE-2019-10158 2 Infinispan, Redhat 2 Infinispan, Jboss Data Grid 2020-01-10 7.5 HIGH 9.8 CRITICAL
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.
CVE-2018-1131 2 Infinispan, Redhat 2 Infinispan, Jboss Data Grid 2019-10-09 6.5 MEDIUM 8.8 HIGH
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.
CVE-2017-2638 2 Infinispan, Redhat 2 Infinispan, Jboss Data Grid 2019-10-09 6.4 MEDIUM 6.5 MEDIUM
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.