CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2009-5066 – JBoss: twiddle.sh accepts credentials as command line arguments, exposing them to other local users via a process listing
https://notcve.org/view.php?id=CVE-2009-5066
13 Aug 2012 — twiddle.sh in JBoss AS 5.0 and EAP 5.0 and earlier accepts credentials as command-line arguments, which allows local users to read the credentials by listing the process and its arguments. twiddle.sh en JBoss AS v5.0 y PEA v5.0 y versiones anteriores acepta credenciales como argumentos de línea de comandos, lo que permite a usuarios locales leer las credenciales al listar el proceso y sus argumentos. • http://objectopia.com/2009/10/01/securing-jmx-invoker-layer-in-jboss • CWE-255: Credentials Management Errors •
CVSS: 5.9EPSS: 0%CPEs: 14EXPL: 0CVE-2011-4314 – extension): MITM due to improper validation of AX attribute signatures
https://notcve.org/view.php?id=CVE-2011-4314
27 Jan 2012 — message/ax/AxMessage.java in OpenID4Java before 0.9.6 final, as used in JBoss Enterprise Application Platform 5.1 before 5.1.2, Step2, Kay Framework before 1.0.2, and possibly other products does not verify that Attribute Exchange (AX) information is signed, which allows remote attackers to modify potentially sensitive AX information without detection via a man-in-the-middle (MITM) attack. message/ax/AxMessage.java en OpenID4Java antes v0.9.6 final, tal y como se utiliza en JBoss Enterprise Application Plat... • http://openid.net/2011/05/05/attribute-exchange-security-alert • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2011-4608 – mod_cluster: malicious worker nodes can register on any vhost
https://notcve.org/view.php?id=CVE-2011-4608
27 Jan 2012 — mod_cluster in JBoss Enterprise Application Platform 5.1.2 for Red Hat Linux allows worker nodes to register with arbitrary virtual hosts, which allows remote attackers to bypass intended access restrictions and provide malicious content, hijack sessions, and steal credentials by registering from an external vhost that does not enforce security constraints. mod_cluster en JBoss Enterprise Application Platform v5.1.2 de Red Hat Linux permite a los nodos inscribirse en hosts virtuales de su elección, lo que p... • http://www.redhat.com/support/errata/RHSA-2012-0035.html • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 1%CPEs: 37EXPL: 0CVE-2011-2196 – JBoss Seam EL interpolation in exception handling
https://notcve.org/view.php?id=CVE-2011-2196
27 Jul 2011 — jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP05 and 5.1.0; JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0, 4.3.0.CP09, and 5.1.1; and JBoss Enterprise Web Platform 5.1.1, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. NOTE: this vulnerab... • http://www.redhat.com/support/errata/RHSA-2011-0945.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.8EPSS: 1%CPEs: 35EXPL: 0CVE-2011-1484 – JBoss Seam privilege escalation caused by EL interpolation in FacesMessages
https://notcve.org/view.php?id=CVE-2011-1484
27 Jul 2011 — jboss-seam.jar in the JBoss Seam 2 framework 2.2.x and earlier, as distributed in Red Hat JBoss Enterprise SOA Platform 4.3.0.CP04 and 5.1.0 and JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3.0.CP09 and 5.1.0, does not properly restrict use of Expression Language (EL) statements in FacesMessages during page exception handling, which allows remote attackers to execute arbitrary Java code via a crafted URL to an application. jboss-seam.jar en el framework JBoss Seam 2 2.2.x y versiones ant... • http://www.redhat.com/support/errata/RHSA-2011-0460.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 1%CPEs: 21EXPL: 0CVE-2010-3708 – JBoss drools deserialization remote code execution
https://notcve.org/view.php?id=CVE-2010-3708
30 Dec 2010 — The serialization implementation in JBoss Drools in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 and JBoss Enterprise SOA Platform 4.2 and 4.3 supports the embedding of class files, which allows remote attackers to execute arbitrary code via a crafted static initializer. La implementación de la serialización de JBoss Drools en la plataforma de aplicaciones Red Hat JBoss Enterprise (JBoss EAP o JBEAP) 4.3 anteriores a 4.3.0.CP09 y JBoss Enterprise SOA Platform ... • http://securitytracker.com/id?1024813 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 1%CPEs: 23EXPL: 0CVE-2010-3862 – JBoss Remoting Denial-Of-Service
https://notcve.org/view.php?id=CVE-2010-3862
30 Dec 2010 — The org.jboss.remoting.transport.bisocket.BisocketServerInvoker$SecondaryServerSocketThread.run method in JBoss Remoting 2.2.x before 2.2.3.SP4 and 2.5.x before 2.5.3.SP2 in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 through 4.3.0.CP09, and 5.1.0; and JBoss Enterprise Web Platform (aka JBEWP) 5.1.0; allows remote attackers to cause a denial of service (daemon outage) by establishing a bisocket control connection TCP session, and then not sending any application data. El métod... • http://securitytracker.com/id?1024813 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2010-3878 – JBoss EAP jmx console FileDeployment CSRF
https://notcve.org/view.php?id=CVE-2010-3878
30 Dec 2010 — Cross-site request forgery (CSRF) vulnerability in the JMX Console in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 before 4.3.0.CP09 allows remote attackers to hijack the authentication of administrators for requests that deploy WAR files. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en la consola JMX de plataforma de aplicaciones Red Hat JBoss (JBoss EAP o JBEAP) 4.3 anteriores a la 4.3.0.CP09. Permite a usuarios remotos secuestrar (hijack) la autentic... • http://securitytracker.com/id?1024813 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 1%CPEs: 23EXPL: 0CVE-2010-4265 – jboss-remoting: missing fix for CVE-2010-3862
https://notcve.org/view.php?id=CVE-2010-4265
30 Dec 2010 — The org.jboss.remoting.transport.bisocket.BisocketServerInvoker$SecondaryServerSocketThread.run method in JBoss Remoting 2.2.x before 2.2.3.SP4 and 2.5.x before 2.5.3.SP2 in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.3 through 4.3.0.CP09 allows remote attackers to cause a denial of service (daemon outage) by establishing a bisocket control connection TCP session, and then not sending any application data, related to a missing CVE-2010-3862 patch. NOTE: this can be considered a ... • http://securitytracker.com/id?1024840 •
CVSS: 8.8EPSS: 93%CPEs: 6EXPL: 3CVE-2010-1871 – Red Hat Linux JBoss Seam 2 Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-1871
04 Aug 2010 — JBoss Seam 2 (jboss-seam2), as used in JBoss Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured. JBoss Seam 2 (jboss-seam2), como el usado en JBoss Enterprise Application Platform v4.3.0 para Red Hat Linux, no sanea adecuadamente las entradas de de la expr... • https://packetstorm.news/files/id/180880 • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •