Filtered by vendor Redhat
Subscriptions
Filtered by product Jboss Enterprise Brms Platform
Subscriptions
Total
206 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1249 | 1 Redhat | 15 Amq Broker, Amq Streams, Build Keycloak and 12 more | 2025-05-02 | 7.4 High |
| A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages. | ||||
| CVE-2017-17485 | 4 Debian, Fasterxml, Netapp and 1 more | 15 Debian Linux, Jackson-databind, E-series Santricity Os Controller and 12 more | 2025-05-01 | 9.8 Critical |
| FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. | ||||
| CVE-2019-12814 | 3 Debian, Fasterxml, Redhat | 12 Debian Linux, Jackson-databind, Amq Streams and 9 more | 2025-05-01 | 5.9 Medium |
| A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. | ||||
| CVE-2020-10673 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 38 more | 2025-05-01 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus). | ||||
| CVE-2020-14061 | 5 Debian, Fasterxml, Netapp and 2 more | 20 Debian Linux, Jackson-databind, Active Iq Unified Manager and 17 more | 2025-05-01 | 8.1 High |
| FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). | ||||
| CVE-2020-11113 | 5 Debian, Fasterxml, Netapp and 2 more | 41 Debian Linux, Jackson-databind, Steelstore Cloud Integrated Storage and 38 more | 2025-05-01 | 8.8 High |
| FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa). | ||||
| CVE-2020-25638 | 5 Debian, Hibernate, Oracle and 2 more | 14 Debian Linux, Hibernate Orm, Communications Cloud Native Core Console and 11 more | 2025-04-23 | 7.4 High |
| A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity. | ||||
| CVE-2014-9970 | 2 Jasypt Project, Redhat | 8 Jasypt, Enterprise Linux, Jboss Bpms and 5 more | 2025-04-20 | N/A |
| jasypt before 1.9.2 allows a timing attack against the password hash comparison. | ||||
| CVE-2016-4434 | 2 Apache, Redhat | 4 Tika, Jboss Bpms, Jboss Data Virtualization and 1 more | 2025-04-20 | N/A |
| Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175. | ||||
| CVE-2015-7501 | 1 Redhat | 22 Data Grid, Enterprise Linux, Jboss A-mq and 19 more | 2025-04-20 | N/A |
| Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | ||||
| CVE-2017-5929 | 2 Qos, Redhat | 7 Logback, Jboss Amq, Jboss Bpms and 4 more | 2025-04-20 | 9.8 Critical |
| QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components. | ||||
| CVE-2017-5662 | 2 Apache, Redhat | 5 Batik, Jboss Amq, Jboss Bpms and 2 more | 2025-04-20 | N/A |
| In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. | ||||
| CVE-2017-5637 | 3 Apache, Debian, Redhat | 5 Zookeeper, Debian Linux, Jboss Bpms and 2 more | 2025-04-20 | N/A |
| Two four letter word commands "wchp/wchc" are CPU intensive and could cause spike of CPU utilization on Apache ZooKeeper server if abused, which leads to the server unable to serve legitimate client requests. Apache ZooKeeper thru version 3.4.9 and 3.5.2 suffer from this issue, fixed in 3.4.10, 3.5.3, and later. | ||||
| CVE-2016-5401 | 1 Redhat | 2 Jboss Bpm Suite, Jboss Enterprise Brms Platform | 2025-04-20 | N/A |
| Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page. | ||||
| CVE-2017-5645 | 4 Apache, Netapp, Oracle and 1 more | 86 Log4j, Oncommand Api Services, Oncommand Insight and 83 more | 2025-04-20 | 9.8 Critical |
| In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code. | ||||
| CVE-2017-7957 | 3 Debian, Redhat, Xstream Project | 6 Debian Linux, Jboss Amq, Jboss Bpms and 3 more | 2025-04-20 | N/A |
| XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call. | ||||
| CVE-2015-0250 | 3 Apache, Canonical, Redhat | 5 Batik, Ubuntu Linux, Jboss Bpms and 2 more | 2025-04-12 | N/A |
| XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file. | ||||
| CVE-2014-0005 | 1 Redhat | 6 Jboss Bpms, Jboss Brms, Jboss Enterprise Application Platform and 3 more | 2025-04-12 | N/A |
| PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the application sever configuration and state by deploying a crafted application. | ||||
| CVE-2016-2175 | 3 Apache, Debian, Redhat | 7 Pdfbox, Debian Linux, Jboss Amq and 4 more | 2025-04-12 | N/A |
| Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF. | ||||
| CVE-2016-2141 | 1 Redhat | 11 Enterprise Linux, Jboss Data Grid, Jboss Data Virtualization and 8 more | 2025-04-12 | 9.8 Critical |
| It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks. | ||||