Page 2 of 24 results (0.004 seconds)

CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0

A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the privileges of the administrator user. Se detectó una falta de comprobación de permiso en la CLI en JBoss Operations Network versiones anteriores a 2.3.1, no comprueba apropiadamente los permisos, lo que permite a usuarios de JBoss ON llevar a cabo tareas de administración y cambios de configuración con los privilegios del usuario administrador. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-0737 • CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0

It was found that the fix for CVE-2014-0114 had been reverted in JBoss Operations Network 3 (JON). This flaw allows attackers to manipulate ClassLoader properties on a vulnerable server. Exploits that have been published rely on ClassLoader properties that are exposed such as those in JON 3. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/site/solutions/869353. Note that while multiple products released patches for the original CVE-2014-0114 flaw, the reversion described by this CVE-2019-3834 flaw only occurred in JON 3. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3834 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •

CVSS: 9.8EPSS: 1%CPEs: 16EXPL: 0

The server in Red Hat JBoss Operations Network (JON), when SSL authentication is not configured for JON server / agent communication, allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-3737. El servidor en Red Hat JBoss Operations Network (JON), cuando la autenticación SSL no está configurada para comunicación de agente servidor JON, permite a atacantes remotos ejecutar código arbitrario a través de una petición HTTP manipulada, relacionado con deserialización de mensajes. NOTA: esta vulnerabilidad existe debido a una solución incompleta para CVE-2016-3737. • http://www.securityfocus.com/bid/92568 https://bugzilla.redhat.com/show_bug.cgi?id=1368864 https://www.tenable.com/security/research/tra-2016-22 • CWE-502: Deserialization of Untrusted Data •

CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0

The web console in Red Hat JBoss Operations Network (JON) before 3.3.7 does not properly authorize requests to add users with the super user role, which allows remote authenticated users to gain admin privileges via a crafted POST request. La consola web en Red Hat JBoss Operations Network (JON) en versiones anteriores a 3.3.7 no autoriza adecuadamente peticiones para agregar usuarios con el rol de superusuario, lo que permite a usuarios remotos autenticados obtener privilegios de administrador a través de una petición POST manipulada. It was found that JBoss Operations Network allowed regular users to add a new super user by sending a specially crafted request to the web console. This attacks allows escalation of privileges. • http://rhn.redhat.com/errata/RHSA-2016-1785.html http://www.securityfocus.com/bid/92722 https://access.redhat.com/security/cve/CVE-2016-5422 https://bugzilla.redhat.com/show_bug.cgi?id=1361933 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

The server in Red Hat JBoss Operations Network (JON) before 3.3.6 allows remote attackers to execute arbitrary code via a crafted HTTP request, related to message deserialization. El servidor en Red Hat JBoss Operations Network (JON) en versiones anteriores a 3.3.6 permite a atacantes remotos ejecutar código arbitrario a traves una petición HTTP manipulada, relacionado con deserialización de mensaje. • http://rhn.redhat.com/errata/RHSA-2016-1519.html http://www.securitytracker.com/id/1036507 https://bugzilla.redhat.com/show_bug.cgi?id=1333618 https://www.tenable.com/security/research/tra-2016-22 • CWE-20: Improper Input Validation •