CVSS: 3.6EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0005 – PicketBox/JBossSX: Unauthorized access to and modification of application server configuration and state by application
https://notcve.org/view.php?id=CVE-2014-0005
PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the application sever configuration and state by deploying a crafted application. PicketBox y JBossSX, utilizado en Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 y JBoss BRMS anterior a 6.0.3 roll up patch 2, permite a usuarios remotos autenticados leer y modificar la configuración y estado del servidor de la aplicación mediante el despliegue de una aplicación manipulada. It was identified that PicketBox/JBossSX allowed any deployed application to alter or read the underlying application server configuration and state without any authorization checks. An attacker able to deploy applications could use this flaw to circumvent security constraints applied to other applications deployed on the same system, disclose privileged information, and in certain cases allow arbitrary code execution. • http://rhn.redhat.com/errata/RHSA-2014-0343.html http://rhn.redhat.com/errata/RHSA-2014-0344.html http://rhn.redhat.com/errata/RHSA-2014-0345.html http://rhn.redhat.com/errata/RHSA-2015-0234.html http://rhn.redhat.com/errata/RHSA-2015-0235.html http://rhn.redhat.com/errata/RHSA-2015-0720.html https://access.redhat.com/security/cve/CVE-2014-0005 https://bugzilla.redhat.com/show_bug.cgi?id=1049736 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2013-6468 – Drools: Remote Java Code Execution in MVEL
https://notcve.org/view.php?id=CVE-2013-6468
JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression. JBoss Drools, Red Hat JBoss BRMS anterior a 6.0.1 y Red Hat JBoss BPM Suite anterior a 6.0.1 permite a usuarios remotos autenticados ejecutar código Java arbitrario a través de una expresión (1) MVFLEX Expression Language (MVEL) o (2) Drools • http://rhn.redhat.com/errata/RHSA-2014-0371.html http://rhn.redhat.com/errata/RHSA-2014-0372.html http://secunia.com/advisories/57716 http://secunia.com/advisories/57719 https://access.redhat.com/security/cve/CVE-2013-6468 https://bugzilla.redhat.com/show_bug.cgi?id=1051261 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2013-2186 – commons-fileupload: Arbitrary file upload via deserialization
https://notcve.org/view.php?id=CVE-2013-2186
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance. La clase DiskFileItem en Apache Commons FileUpload, tal como se utiliza en Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2 y 6.0.0; y Red Hat JBoss Web Server 1.0.2 permite a atacantes remotos escribir en archivos arbitrarios a través de un byte NULL en un nombre de archivo en una instancia serializada. • http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00008.html http://lists.opensuse.org/opensuse-updates/2013-10/msg00033.html http://lists.opensuse.org/opensuse-updates/2013-10/msg00050.html http://rhn.redhat.com/errata/RHSA-2013-1428.html http://rhn.redhat.com/errata/RHSA-2013-1429.html http://rhn.redhat.com/errata/RHSA-2013-1430.html http://rhn.redhat.com/errata/RHSA-2013-1442.html http://rhn.redhat.com/errata/RHSA-2013-1448.html http://secunia.com/advis • CWE-20: Improper Input Validation CWE-626: Null Byte Interaction Error (Poison Null Byte) •