CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2014-0058 – EAP6: Plain text password logging during security audit
https://notcve.org/view.php?id=CVE-2014-0058
24 Feb 2014 — The security audit functionality in Red Hat JBoss Enterprise Application Platform (EAP) 6.x before 6.2.1 logs request parameters in plaintext, which might allow local users to obtain passwords by reading the log files. La funcionalidad de auditoría de seguridad en Red Hat JBoss Enterprise Application Platform (EAP) 6.x anterior a 6.2.1 registra parámetros de solicitud en texto claro, lo que podría permitir a usuarios locales obtener contraseñas mediante la lectura de los archivos de log. It was found that t... • http://rhn.redhat.com/errata/RHSA-2014-0204.html • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0018 – jboss-as-server: Unchecked access to MSC Service Registry under JSM
https://notcve.org/view.php?id=CVE-2014-0018
13 Feb 2014 — Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container (MSC) service registry, which allows local users to modify the server via a crafted deployment. Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 y JBoss WildFly Application Server, cuando es ejecutado bajo un gestor de seguridad, no restringe debidamente el acceso al registro del servicio Modular Servi... • http://rhn.redhat.com/errata/RHSA-2014-0170.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 2%CPEs: 4EXPL: 0CVE-2011-4610 – JBoss Web remote denial of service when surrogate pair character is placed at buffer boundary
https://notcve.org/view.php?id=CVE-2011-4610
10 Feb 2014 — JBoss Web, as used in Red Hat JBoss Communications Platform before 5.1.3, Enterprise Web Platform before 5.1.2, Enterprise Application Platform before 5.1.2, and other products, allows remote attackers to cause a denial of service (infinite loop) via vectors related to a crafted UTF-8 and a "surrogate pair character" that is "at the boundary of an internal buffer." JBoss Web, utilizado en Red Hat JBoss Communications Platform anterior a 5.1.3, Enterprise Web Platform anterior a 5.1.2, Enterprise Application... • http://rhn.redhat.com/errata/RHSA-2012-0074.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-3427 – AMI: insecure default file permissions for /var/cache/jboss-ec2-eap
https://notcve.org/view.php?id=CVE-2012-3427
02 Feb 2014 — EC2 Amazon Machine Image (AMI) in JBoss Enterprise Application Platform (EAP) 5.1.2 uses 755 permissions for /var/cache/jboss-ec2-eap/, which allows local users to read sensitive information such as Amazon Web Services (AWS) credentials by reading files in the directory. EC2 Amazon Machine Image (AMI) en JBoss Enterprise Application Platform (EAP) 5.1.2 utiliza permisos 755 para /var/cache/jboss-ec2-eap/, lo cual permite a usuarios locales leer información sensible como credenciales de Amazon Web Services (... • http://rhn.redhat.com/errata/RHSA-2012-1376.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.5EPSS: 0%CPEs: 17EXPL: 0CVE-2013-2133 – WS: EJB3 role restrictions are not applied to jaxws handlers
https://notcve.org/view.php?id=CVE-2013-2133
05 Dec 2013 — The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. La implementación del manejador de invocación EJB en Red Hat JBossWS, como se utiliza en JBoss Enterprise Application Platform (EAP) anteriores a 6.2.0, no hace cum... • http://rhn.redhat.com/errata/RHSA-2013-1784.html • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0CVE-2013-4210 – Remoting: DoS by file descriptor exhaustion
https://notcve.org/view.php?id=CVE-2013-4210
30 Sep 2013 — The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, and other products allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. La clase org.jboss.remoting.transport.socket.ServerThread en Red Hat JBoss Remoting para Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, y otros product... • http://rhn.redhat.com/errata/RHSA-2013-1369.html •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2013-2185 – Tomcat/JBossWeb: Arbitrary file upload via deserialization
https://notcve.org/view.php?id=CVE-2013-2185
04 Sep 2013 — The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications t... • http://openwall.com/lists/oss-security/2014/10/24/12 • CWE-20: Improper Input Validation CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 3.3EPSS: 0%CPEs: 13EXPL: 0CVE-2013-1921 – PicketBox: Insecure storage of masked passwords
https://notcve.org/view.php?id=CVE-2013-1921
04 Sep 2013 — PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. PicketBox, utilizado en Red Hat JBoss Enterprise Application Platform anteriores a 6.1.1, permite a un usuario local obtener la clave de cifrado de administrador leyendo el archivo de datos Vault. Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 6.2.0 serves as a replac... • http://rhn.redhat.com/errata/RHSA-2013-1207.html • CWE-310: Cryptographic Issues •
CVSS: 5.5EPSS: 9%CPEs: 29EXPL: 0CVE-2013-4112 – JGroups: Authentication via cached credentials
https://notcve.org/view.php?id=CVE-2013-4112
04 Sep 2013 — The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials. El DiagnosticsHandler en JGroup 3.0.x, 3.1.x, 3.2.x anterior a 3.2.9 , y 3.3.x anterior a 3.3.3 permite a atacantes remotos obtener información sensible (información de disgnósticos) y ejecutar codigo arbitrario reutilizando credenciales válidas Red Hat JBoss Data Grid is a distribut... • http://rhn.redhat.com/errata/RHSA-2013-1207.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4128 – remote-naming: Session fixation due improper connection caching
https://notcve.org/view.php?id=CVE-2013-4128
12 Aug 2013 — Red Hat JBoss Enterprise Application Platform (EAP) 6.1.0 does not properly cache EJB invocations by remote-naming, which allows remote attackers to hijack sessions by using a remoting client. Red Hat JBoss Enterprise Application Platform (EAP) v6.1.0 no cachea adecuadamente las llamadas EJB por control remoto de nombres, lo que permite a atacantes remotos secuestrar sesiones utilizando un cliente remoto. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Appl... • http://osvdb.org/96217 • CWE-16: Configuration CWE-384: Session Fixation •