CVE-2015-1849
https://notcve.org/view.php?id=CVE-2015-1849
AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.1 allows attackers to obtain sensitive information via vectors involving logging the LDAP bind credential password when TRACE logging is enabled. AdvancedLdapLodinMogule en Red Hat JBoss Enterprise Application Platform (EAP) en versiones anteriores a la 6.4.1 permite que los atacantes obtengan información sensible mediante vectores que implican el registro de la contraseña de las credenciales asociadas al protocolo LDAP cuando el registro TRACE está habilitado. • https://bugzilla.redhat.com/show_bug.cgi?id=1199641 https://bugzilla.redhat.com/show_bug.cgi?id=1208580 https://github.com/wildfly-security/jboss-negotiation/commit/0dc9d191b6eb1d13b8f0189c5b02ba6576f4722e https://github.com/wildfly-security/jboss-negotiation/pull/21 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-7561 – resteasy: Vary header not added by CORS filter leading to cache poisoning
https://notcve.org/view.php?id=CVE-2017-7561
Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact. Red Hat JBoss EAP en su versión 3.0.7 hasta antes de la versión 4.0.0.Beta1 es vulnerable a un envenenamiento de la caché por parte del servidor o a peticiones CORS en el componente JAX-RS, resultando en un impacto moderado. It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. • http://www.securityfocus.com/bid/100465 https://access.redhat.com/errata/RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0004 https://access.redhat.com/errata/RHSA-2018:0005 https://access.redhat.com/errata/RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0481 https://issues.jboss.org/browse/RESTEASY-1704 ht • CWE-345: Insufficient Verification of Data Authenticity CWE-346: Origin Validation Error CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2017-7504
https://notcve.org/view.php?id=CVE-2017-7504
HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the JbossMQ implementation, which is enabled by default in Red Hat Jboss Application Server <= Jboss 4.X does not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized data. En el archivo HTTPServerILServlet.java en la capa de invocación JMS sobre HTTP de la implementación de JbossMQ, que está habilitada por defecto en Red Hat Jboss Application Server versiones anteriores a Jboss 4.X e incluida, no restringe las clases para las cuales realiza la deserialización, lo que permite a atacantes remotos ejecutar código arbitrario por medio de datos serializados diseñados. • http://www.securityfocus.com/bid/98595 https://bugzilla.redhat.com/show_bug.cgi?id=1451441 • CWE-502: Deserialization of Untrusted Data •
CVE-2016-7061 – EAP: Sensitive data can be exposed at the server level in domain mode
https://notcve.org/view.php?id=CVE-2016-7061
An information disclosure vulnerability was found in JBoss Enterprise Application Platform before 7.0.4. It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information. Se ha detectado una vulnerabilidad de divulgación de información en JBoss Enterprise Application Platform en versiones anteriores a la 7.0.4. Se ha descubierto que, al configurar RBAC y marcar información como sensible, los usuarios con rol Monitor pueden visualizar dicha información sensible It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information. • http://rhn.redhat.com/errata/RHSA-2017-0170.html http://rhn.redhat.com/errata/RHSA-2017-0171.html http://rhn.redhat.com/errata/RHSA-2017-0172.html http://rhn.redhat.com/errata/RHSA-2017-0173.html http://rhn.redhat.com/errata/RHSA-2017-0244.html http://rhn.redhat.com/errata/RHSA-2017-0245.html http://rhn.redhat.com/errata/RHSA-2017-0246.html http://rhn.redhat.com/errata/RHSA-2017-0247.html http://rhn.redhat.com/errata/RHSA-2017-0250.html http://www • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-7065 – Red Hat JBoss EAP - Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2016-7065
The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object. El servlet JMX en Red Hat JBoss Enterprise Application Platform (EAP) 4 y 5 permite a usuarios remotos autenticados provocar una denegación de servicio y posiblemente ejecutar código arbitrario a través de un objeto Java serializado manipulado. • https://www.exploit-db.com/exploits/40842 http://seclists.org/fulldisclosure/2016/Nov/143 http://www.securityfocus.com/bid/93462 https://bugzilla.redhat.com/show_bug.cgi?id=1382534 • CWE-502: Deserialization of Untrusted Data •