CVE-2020-14379
https://notcve.org/view.php?id=CVE-2020-14379
A flaw was found in Red Hat AMQ Broker in a way that a XEE attack can be done via Broker's configuration files, leading to denial of service and information disclosure. Se ha detectado un fallo en Red Hat AMQ Broker por el que puede realizarse un ataque de tipo XEE por medio de los archivos de configuración del Broker, conllevando a una denegación de servicio y una divulgación de información. • https://bugzilla.redhat.com/show_bug.cgi?id=1840862 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2021-4104 – Deserialization of untrusted data in JMSAppender in Apache Log4j 1.2
https://notcve.org/view.php?id=CVE-2021-4104
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. • http://www.openwall.com/lists/oss-security/2022/01/18/3 https://access.redhat.com/security/cve/CVE-2021-4104 https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033 https://security.gentoo.org/glsa/202209-02 https://security.gentoo.org/glsa/202310-16 https://security.gentoo.org/glsa/202312-02 https://security.gentoo.org/glsa/202312-04 https://security.netapp.com/advisory/ntap-20211223-0007 https • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVE-2021-3425 – Broker: discloses JDBC username and password in the application log file
https://notcve.org/view.php?id=CVE-2021-3425
A flaw was found in the AMQ Broker that discloses JDBC encrypted usernames and passwords when provided in the AMQ Broker application logfile when using the jdbc persistence functionality. Versions shipped in Red Hat AMQ 7 are vulnerable. Se ha encontrado un fallo en el AMQ Broker que divulga los nombres de usuario y las contraseñas cifradas de JDBC cuando es proporcionado en el archivo de registro de la aplicación AMQ Broker cuando se usa la funcionalidad jdbc persistence. Unas versiones que son distribuidas en Red Hat AMQ versión 7 son vulnerables • https://bugzilla.redhat.com/show_bug.cgi?id=1936629 https://access.redhat.com/security/cve/CVE-2021-3425 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-3536 – wildfly: XSS via admin console when creating roles in domain mode
https://notcve.org/view.php?id=CVE-2021-3536
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. Se encontró un fallo en Wildfly en versiones anteriores a 23.0.2.Final, mientras se crea un nuevo rol en el modo de dominio por medio de la consola de administración, es posible agregar una carga útil en el campo name, conllevando a una vulnerabilidad de tipo XSS. Esto afecta la Confidencialidad y la Integridad A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). • https://bugzilla.redhat.com/show_bug.cgi?id=1948001 https://access.redhat.com/security/cve/CVE-2021-3536 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5183 – Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ
https://notcve.org/view.php?id=CVE-2015-5183
Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ. Consola: Atributos de HTTPOnly y Secure no establecidos en las cookies de Red Hat AMQ. It was found that Hawtio console does not set HTTPOnly or Secure attributes on cookies. An attacker could use this flaw to rerieve an authenticated user's SessionID, and possibly conduct further attacks with the permissions of the authenticated user. • http://www.securitytracker.com/id/1041750 https://access.redhat.com/errata/RHSA-2018:2840 https://bugzilla.redhat.com/show_bug.cgi?id=1249182 https://lists.apache.org/thread.html/9e3391878c6840b294155f7ba6ccb47586e317f85c1bbd15c4608bd0%40%3Cdev.activemq.apache.org%3E https://lists.apache.org/thread.html/r51c60b28154fe7b634e5f5b7a7fc7f6f060487b39a7b5e95e2c32047%40%3Cdev.activemq.apache.org%3E https://lists.apache.org/thread.html/r63480b481eb5922465da102d97d0906d8823687f99ef3255ebc32be8%40%3Cdev.activemq.apache.org%3E https://lists.apache.org/thread& •