Filtered by vendor Redhat
Subscribe
Filtered by product Jboss Enterprise Application Platform
Subscribe
Total
224 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-1896 | 4 Apache, Canonical, Opensuse and 1 more | 10 Http Server, Ubuntu Linux, Opensuse and 7 more | 2023-12-10 | 4.3 MEDIUM | N/A |
| mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI, which allows remote attackers to cause a denial of service (segmentation fault) via a MERGE request in which the URI is configured for handling by the mod_dav_svn module, but a certain href attribute in XML data refers to a non-DAV URI. | |||||
| CVE-2012-4550 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2023-12-10 | 6.4 MEDIUM | N/A |
| JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, when using role-based authorization for Enterprise Java Beans (EJB) access, does not call the intended authorization modules, which prevents JACC permissions from being applied and allows remote attackers to obtain access to the EJB. | |||||
| CVE-2012-5629 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jboss Enterprise Web Platform | 2023-12-10 | 7.5 HIGH | N/A |
| The default configuration of the (1) LdapLoginModule and (2) LdapExtLoginModule modules in JBoss Enterprise Application Platform (EAP) 4.3.0 CP10, 5.2.0, and 6.0.1, and Enterprise Web Platform (EWP) 5.2.0 allow remote attackers to bypass authentication via an empty password. | |||||
| CVE-2012-4572 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform | 2023-12-10 | 3.7 LOW | N/A |
| Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control certain applications' authorization decisions via a crafted application. | |||||
| CVE-2012-3370 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform, Jboss Enterprise Web Platform | 2023-12-10 | 5.8 MEDIUM | N/A |
| The SecurityAssociation.getCredential method in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 returns the credentials of the previous user when a security context is not provided, which allows remote attackers to gain privileges as other users. | |||||
| CVE-2011-4575 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform, Jboss Enterprise Web Platform | 2023-12-10 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the JMX console in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2012-1167 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform, Jboss Enterprise Soa Platform and 1 more | 2023-12-10 | 4.6 MEDIUM | N/A |
| The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications. | |||||
| CVE-2013-2133 | 1 Redhat | 2 Enterprise Linux, Jboss Enterprise Application Platform | 2023-12-10 | 5.5 MEDIUM | N/A |
| The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. | |||||
| CVE-2013-4210 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform, Jboss Enterprise Soa Platform and 1 more | 2023-12-10 | 5.0 MEDIUM | N/A |
| The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, and other products allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. | |||||
| CVE-2012-0034 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform, Jboss Enterprise Web Platform | 2023-12-10 | 2.1 LOW | N/A |
| The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2 and 5.2.0, and BRMS Platform before 5.3.1 logs the username and password in cleartext when an exception is thrown, which allows local users to obtain sensitive information by reading the log file. | |||||
| CVE-2012-3369 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform, Jboss Enterprise Web Platform | 2023-12-10 | 4.0 MEDIUM | N/A |
| The CallerIdentityLoginModule in JBoss Enterprise Application Platform (EAP) before 5.2.0, Web Platform (EWP) before 5.2.0, BRMS Platform before 5.3.1, and SOA Platform before 5.3.1 allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used. | |||||
| CVE-2012-5575 | 2 Apache, Redhat | 6 Cxf, Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform and 3 more | 2023-12-10 | 6.4 MEDIUM | N/A |
| Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack." | |||||
| CVE-2012-4549 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2023-12-10 | 5.8 MEDIUM | N/A |
| The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. | |||||
| CVE-2013-4213 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2023-12-10 | 6.4 MEDIUM | N/A |
| Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by the EJB client API, which allows remote attackers to hijack sessions by using an EJB client. | |||||
| CVE-2012-1154 | 1 Redhat | 2 Jboss Enterprise Application Platform, Mod Cluster | 2023-12-10 | 4.3 MEDIUM | N/A |
| mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed on the root context via unspecified vectors. | |||||
| CVE-2013-1921 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2023-12-10 | 1.9 LOW | N/A |
| PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. | |||||
| CVE-2013-4112 | 2 Jgroups, Redhat | 2 Jgroup, Jboss Enterprise Application Platform | 2023-12-10 | 5.4 MEDIUM | N/A |
| The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials. | |||||
| CVE-2013-1862 | 5 Apache, Canonical, Opensuse and 2 more | 11 Http Server, Ubuntu Linux, Opensuse and 8 more | 2023-12-10 | 5.1 MEDIUM | N/A |
| mod_rewrite.c in the mod_rewrite module in the Apache HTTP Server 2.2.x before 2.2.25 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via an HTTP request containing an escape sequence for a terminal emulator. | |||||
| CVE-2012-4529 | 1 Redhat | 2 Jboss Community Application Server, Jboss Enterprise Application Platform | 2023-12-10 | 4.3 MEDIUM | N/A |
| The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log. | |||||
| CVE-2013-0218 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jboss Enterprise Web Platform | 2023-12-10 | 2.1 LOW | N/A |
| The GUI installer in JBoss Enterprise Application Platform (EAP) and Enterprise Web Platform (EWP) 5.2.0 and possibly 5.1.2 uses world-readable permissions for the auto-install XML file, which allows local users to obtain the administrator password and the sucker password by reading this file. | |||||