CVE-2013-7397 – async-http-client: SSL/TLS certificate verification is disabled under certain conditions
https://notcve.org/view.php?id=CVE-2013-7397
Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates. Async Http Client (también conocido como AHC o async-http-client) anterior a 1.9.0 salta la verificación los certificados X.509 a no ser que tanto una localización keyStore y una localización trustStore estén configuradas explícitamente, lo que permite a atacantes man-in-the-middle falsificar servidores HTTPS mediante la presentación de un certificado arbitrario durante el uso de una configuración AHC típica, tal y como fue demostrado por una configuración que no envía certificados de cliente. It was found that async-http-client would disable SSL/TLS certificate verification under certain conditions, for example if HTTPS communication also used client certificates. A man-in-the-middle (MITM) attacker could use this flaw to spoof a valid certificate. • http://openwall.com/lists/oss-security/2014/08/26/1 http://rhn.redhat.com/errata/RHSA-2015-0850.html http://rhn.redhat.com/errata/RHSA-2015-0851.html http://rhn.redhat.com/errata/RHSA-2015-1176.html http://rhn.redhat.com/errata/RHSA-2015-1551.html http://www.securityfocus.com/bid/69316 https://github.com/AsyncHttpClient/async-http-client/issues/352 https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E https://l • CWE-295: Improper Certificate Validation CWE-345: Insufficient Verification of Data Authenticity •
CVE-2014-5075 – smack: MitM vulnerability
https://notcve.org/view.php?id=CVE-2014-5075
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. La API Ignite Realtime Smack XMPP 4.x anterior a 4.0.2, y 3.x y 2.x cuando se utiliza un SSLContext personalizado, no verifica que el nombre del servidor coincide con un nombre de dominio en el campo de asunto Common Name (CN) o subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle suplantar los servidores SSL a través de un certificado válido arbitrario. It was found that SSLSocket in Smack did not perform hostname verification. An attacker could redirect traffic between an application and an XMPP server by providing a valid certificate for a domain under the attacker's control. • http://op-co.de/CVE-2014-5075.html http://rhn.redhat.com/errata/RHSA-2015-1176.html http://secunia.com/advisories/59915 http://www.securityfocus.com/bid/69064 https://access.redhat.com/security/cve/CVE-2014-5075 https://bugzilla.redhat.com/show_bug.cgi?id=1127276 • CWE-310: Cryptographic Issues •
CVE-2013-6469
https://notcve.org/view.php?id=CVE-2013-6469
JBoss Overlord Run Time Governance (RTGov) 1.0 for JBossAS allows remote authenticated users to execute arbitrary Java code via an MVFLEX Expression Language (MVEL) expression. NOTE: some of these details are obtained from third party information. JBoss Overlord Run Time Governance (RTGov) 1.0 para JBossAS permite a usuarios remotos autenticados ejecutar código Java arbitrario a través de una expresión MVFLEX Expression Language (MVEL). NOTA: algunos de estos datos se obtienen de información de terceras partes. • http://secunia.com/advisories/57843 https://bugzilla.redhat.com/show_bug.cgi?id=1051279 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2014-0085 – Fuse: admin user cleartext password appears in logging
https://notcve.org/view.php?id=CVE-2014-0085
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log. JBoss Fuse no habilitaba contraseñas cifradas por defecto en su uso de Apache Zookeeper. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0085 https://access.redhat.com/security/cve/CVE-2014-0085 https://bugzilla.redhat.com/show_bug.cgi?id=1067265 • CWE-255: Credentials Management Errors CWE-522: Insufficiently Protected Credentials •
CVE-2013-4372 – Console: Stored cross-site scripting (XSS)
https://notcve.org/view.php?id=CVE-2013-4372
Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBoss A-MQ 6.0.0 before patch 3 allow remote attackers to inject arbitrary web script or HTML via the (1) user field in the create user page or (2) profile version to the create profile page. Múltiples vulnerabilidades de XSS en Fuse Management Console en Red Hat JBoss Fuse 6.0.0 anterior al parche 3 y JBoss A-MQ 6.0.0 anterior al parche 3 permite a atacantes remotos inyectar script web o HTML arbitrario a través de (1) campos de usuario en la página de creación de usuarios o (2) en la versión de perfil de la página de creación de perfiles. • http://fusesource.com/forge/git/fuseenterprise.git/?p=fuseenterprise.git%3Ba=commitdiff%3Bh=f5436ea1c5547c851bb6f92561272fe42c146e68 http://fusesource.com/issues/browse/FMC-495 http://rhn.redhat.com/errata/RHSA-2013-1286.html http://rhn.redhat.com/errata/RHSA-2013-1862.html http://www.securityfocus.com/bid/62659 https://bugzilla.redhat.com/show_bug.cgi?id=1011736 https://github.com/jboss-fuse/fuse/commit/e280cb370323eeb759030919d5111ed809e8ded5 https://access.redhat.com/security/cve/CVE-2013-4372 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •