CVE-2019-14888 – undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS
https://notcve.org/view.php?id=CVE-2019-14888
A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. Se detectó una vulnerabilidad en el servidor HTTP Undertow en versiones anteriores a 2.0.28.SP1, al escuchar sobre HTTPS. Un atacante puede apuntar al puerto HTTPS para llevar a cabo una Denegación de Servicio (DOS) para hacer que el servicio no esté disponible en SSL. A vulnerability was found in the Undertow HTTP server listening on HTTPS. • https://access.redhat.com/errata/RHSA-2020:0729 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14888 https://security.netapp.com/advisory/ntap-20220211-0001 https://access.redhat.com/security/cve/CVE-2019-14888 https://bugzilla.redhat.com/show_bug.cgi?id=1772464 • CWE-400: Uncontrolled Resource Consumption •
CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 https://access.redhat.com/errata/RHSA-2020:0160 https://access.redhat.com/errata/RHSA-2020:0161 https://access.redhat.com/errata/RHSA-2020:0164 https://access.redhat.com/errata/RHSA-2020:0445 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10219 https://lists.apache.org/thread.html/r4f8b4e2541be4234946e40d55859273a7eec0f4901e8080ce2406fe6%40%3Cnotifications.accumulo.apache.org%3E https://lists.apache.org/thread.html/r4f92d7f7682dcff92722fa947f9e6f8ba2227c5dc3e11ba0911 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-0121
https://notcve.org/view.php?id=CVE-2014-0121
The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter. El terminal de administrador en Hawt.io no requiere autenticación, lo que permite que atacantes remotos ejecuten comandos arbitrarios mediante el parámetro k. • https://bugzilla.redhat.com/show_bug.cgi?id=1072716 https://github.com/hawtio/hawtio/commit/5289715e4f2657562fdddcbad830a30969b96e1e https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf • CWE-287: Improper Authentication •
CVE-2014-0120
https://notcve.org/view.php?id=CVE-2014-0120
Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authentication of arbitrary users for requests that run commands on the Karaf server, as demonstrated by running "shutdown -f." Vulnerabilidad de Cross-Site Request Forgery (CSRF) en el terminal de administrador en Hawt.io permite que atacantes remotos secuestren la autenticación de usuarios arbitrarios para peticiones que ejecutan comandos en el servidor Karaf, tal y como se demuestra ejecutando "shutdown -f". • https://bugzilla.redhat.com/show_bug.cgi?id=1072681 https://github.com/hawtio/hawtio/commit/b4e23e002639c274a2f687ada980118512f06113 https://infocon.org/cons/SyScan/SyScan%202015%20Singapore/SyScan%202015%20Singapore%20presentations/SyScan15%20David%20Jorm%20-%20Finding%20and%20exploiting%20novel%20flaws%20in%20Java%20software.pdf • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2014-8175 – Fuse: insufficient access permissions checks when accessing Hawtio console
https://notcve.org/view.php?id=CVE-2014-8175
Red Hat JBoss Fuse before 6.2.0 allows remote authenticated users to bypass intended restrictions and access the HawtIO console by leveraging an account defined in the users.properties file. Red Hat JBoss Fuse anterior a 6.2.0 permite a usuarios remotos autenticados evadir las restricciones y acceder a la consola HawtIO mediante el aprovechamiento de una cuenta definida en el fichero de propiedades de usuarios. It was found that JBoss Fuse would allow any user defined in the users.properties file to access the HawtIO console without having a valid admin role. This could allow a remote attacker to bypass intended authentication HawtIO console access restrictions. • http://rhn.redhat.com/errata/RHSA-2015-1176.html http://rhn.redhat.com/errata/RHSA-2015-1177.html https://access.redhat.com/security/cve/CVE-2014-8175 https://bugzilla.redhat.com/show_bug.cgi?id=1205112 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •