Filtered by vendor Redhat
Subscriptions
Filtered by product Jboss Fuse
Subscriptions
Total
567 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-11307 | 3 Fasterxml, Oracle, Redhat | 18 Jackson-databind, Clusterware, Communications Instant Messaging Server and 15 more | 2024-11-21 | 9.8 Critical |
| An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6. | ||||
| CVE-2018-10899 | 2 Jolokia, Redhat | 4 Jolokia, Jboss Amq, Jboss Fuse and 1 more | 2024-11-21 | N/A |
| A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack. | ||||
| CVE-2018-1000873 | 4 Fasterxml, Netapp, Oracle and 1 more | 7 Jackson-modules-java8, Active Iq Unified Manager, Clusterware and 4 more | 2024-11-21 | 6.5 Medium |
| Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8. | ||||
| CVE-2018-1000850 | 2 Redhat, Squareup | 2 Jboss Fuse, Retrofit | 2024-11-21 | N/A |
| Square Retrofit version versions from (including) 2.0 and 2.5.0 (excluding) contains a Directory Traversal vulnerability in RequestBuilder class, method addPathParameter that can result in By manipulating the URL an attacker could add or delete resources otherwise unavailable to her.. This attack appear to be exploitable via An attacker should have access to an encoded path parameter on POST, PUT or DELETE request.. This vulnerability appears to have been fixed in 2.5.0 and later. | ||||
| CVE-2018-1000632 | 5 Debian, Dom4j Project, Netapp and 2 more | 17 Debian Linux, Dom4j, Oncommand Workflow Automation and 14 more | 2024-11-21 | 7.5 High |
| dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later. | ||||
| CVE-2018-1000180 | 5 Bouncycastle, Debian, Netapp and 2 more | 24 Fips Java Api, Legion-of-the-bouncy-castle-java-crytography-api, Debian Linux and 21 more | 2024-11-21 | N/A |
| Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. | ||||
| CVE-2018-1000130 | 2 Jolokia, Redhat | 2 Webarchive Agent, Jboss Fuse | 2024-11-21 | N/A |
| A JNDI Injection vulnerability exists in Jolokia agent version 1.3.7 in the proxy mode that allows a remote attacker to run arbitrary Java code on the server. | ||||
| CVE-2018-1000129 | 2 Jolokia, Redhat | 3 Jolokia, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser. | ||||
| CVE-2017-8046 | 3 Pivotal Software, Redhat, Vmware | 3 Spring Data Rest, Jboss Fuse, Spring Boot | 2024-11-21 | N/A |
| Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code. | ||||
| CVE-2017-7657 | 6 Debian, Eclipse, Hp and 3 more | 20 Debian Linux, Jetty, Xp P9000 and 17 more | 2024-11-21 | 9.8 Critical |
| In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request. | ||||
| CVE-2017-7559 | 1 Redhat | 4 Jboss Amq, Jboss Enterprise Application Platform, Jboss Fuse and 1 more | 2024-11-21 | N/A |
| In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. | ||||
| CVE-2017-7536 | 1 Redhat | 9 Enterprise Linux, Hibernate Validator, Jboss Amq and 6 more | 2024-11-21 | 7.0 High |
| In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). | ||||
| CVE-2017-7525 | 5 Debian, Fasterxml, Netapp and 2 more | 30 Debian Linux, Jackson-databind, Oncommand Balance and 27 more | 2024-11-21 | 9.8 Critical |
| A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | ||||
| CVE-2017-2617 | 2 Hawt.io, Redhat | 3 Hawtio, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| hawtio before version 1.5.5 is vulnerable to remote code execution via file upload. An attacker could use this vulnerability to upload a crafted file which could be executed on a target machine where hawtio is deployed. | ||||
| CVE-2017-2594 | 2 Hawt, Redhat | 3 Hawtio, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. | ||||
| CVE-2017-2589 | 2 Hawt, Redhat | 3 Hawtio, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. | ||||
| CVE-2017-18640 | 5 Fedoraproject, Oracle, Quarkus and 2 more | 8 Fedora, Peoplesoft Enterprise Pt Peopletools, Quarkus and 5 more | 2024-11-21 | 7.5 High |
| The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564. | ||||
| CVE-2017-15691 | 2 Apache, Redhat | 5 Uima-as, Uimaducc, Uimafit and 2 more | 2024-11-21 | N/A |
| In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0-beta, Apache uima-as prior to 2.10.2, Apache uimaFIT prior to 2.4.0, Apache uimaDUCC prior to 2.2.2, this vulnerability relates to an XML external entity expansion (XXE) capability of various XML parsers. UIMA as part of its configuration and operation may read XML from various sources, which could be tainted in ways to cause inadvertent disclosure of local files or other internal content. | ||||
| CVE-2017-15095 | 5 Debian, Fasterxml, Netapp and 2 more | 31 Debian Linux, Jackson-databind, Oncommand Balance and 28 more | 2024-11-21 | 9.8 Critical |
| A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously. | ||||
| CVE-2017-15089 | 2 Infinispan, Redhat | 6 Infinispan, Jboss Data Grid, Jboss Enterprise Application Platform and 3 more | 2024-11-21 | N/A |
| It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. | ||||