CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4293 – Server: Plaintext passwords in server logs
https://notcve.org/view.php?id=CVE-2013-4293
The server in Red Hat JBoss Operations Network (JON) 3.1.2 logs passwords in plaintext, which allows local users to obtain sensitive information by reading the log files. El servidor en Red Hat JBoss Operations Network (JON) 3.1.2 loguea contraseñas en texto plano, lo que permite a usuarios locales obtener informació sensible leyendo los archivos de log. • http://rhn.redhat.com/errata/RHSA-2013-1448.html https://bugzilla.redhat.com/show_bug.cgi?id=1002853 https://access.redhat.com/security/cve/CVE-2013-4293 • CWE-310: Cryptographic Issues •
CVSS: 3.2EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4373 – Drift: Malicious drift file import due to insecure temporary file usage
https://notcve.org/view.php?id=CVE-2013-4373
The storeFiles method in JPADriftServerBean in Red Hat JBoss Operations Network (JON) 3.1.2 allows local users to load arbitrary drift files into a server by writing the files to the temporary directory that is used to unpack zip files. El método storeFiles en JPADriftServerBean en Red Hat JBoss Operations Network (JON) 3.1.2 permite a usuarios locales cargar archivos drift arbitrarios en el servidor escribiendo los archivos al directorio temporal que es utilizado para descomprimir archivos zip. • http://rhn.redhat.com/errata/RHSA-2013-1448.html https://bugzilla.redhat.com/show_bug.cgi?id=1011824 https://exchange.xforce.ibmcloud.com/vulnerabilities/88179 https://access.redhat.com/security/cve/CVE-2013-4373 • CWE-20: Improper Input Validation CWE-377: Insecure Temporary File •
CVSS: 7.5EPSS: 10%CPEs: 99EXPL: 1CVE-2013-2165 – RichFaces: Remote code execution due to insecure deserialization
https://notcve.org/view.php?id=CVE-2013-2165
ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the classes for which deserialization methods can be called, which allows remote attackers to execute arbitrary code via crafted serialized data. ResourceBuilderImpl.java en la implementación de RichFaces 3.x a 5.x en la implementación de Red Hat JBoss Web Framework Kit anterior a 2.3.0, Red Hat JBoss Web Platform a 5.2.0, Red Hat JBoss Enterprise Application Platform a 4.3.0 CP10 y 5.x a la 5.2.0, Red Hat JBoss BRMS hasta la 5.3.1, Red Hat JBoss SOA Platform hasta la 4.3.0 CP05 y 5.x hasta la 5.3.1, Red Hat JBoss Portal hasta la 4.3 CP07 y 5.x hasta 5.2.2, y Red Hat JBoss Operations Network hasta 2.4.2 y 3.x hasta la 3.1.2, no restringe las clases para la deserialización de los métodos que pueden ser invocados, lo que permite a atacantes remotos ejecutar código arbitrario a través de datos serializados. • https://github.com/Pastea/CVE-2013-2165 http://jvn.jp/en/jp/JVN38787103/index.html http://jvndb.jvn.jp/jvndb/JVNDB-2013-000072 http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.html http://rhn.redhat.com/errata/RHSA-2013-1041.html http://rhn.redhat.com/errata/RHSA-2013-1042.html http://rhn.redhat.com/errata/RHSA-2013-1043.html http://rhn.redhat.com/errata/RHSA-2013-1044.html http://rhn.redhat.com/errata/RHSA-2013-1045.html http:/ • CWE-264: Permissions, Privileges, and Access Controls CWE-502: Deserialization of Untrusted Data •