CVSS: 4.8EPSS: 0%CPEs: 9EXPL: 0CVE-2021-3536 – wildfly: XSS via admin console when creating roles in domain mode
https://notcve.org/view.php?id=CVE-2021-3536
20 May 2021 — A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. Se encontró un fallo en Wildfly en versiones anteriores a 23.0.2.Final, mientras se crea un nuevo rol en el modo de dominio por medio de la consola de administración, es posible agregar una carga útil en el campo name, conllevando a una vulnerabilidad de tipo XSS. Esto af... • https://bugzilla.redhat.com/show_bug.cgi?id=1948001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2020-27822 – wildfly: Potential Memory leak in Wildfly when using OpenTracing
https://notcve.org/view.php?id=CVE-2020-27822
08 Dec 2020 — A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API's java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availability of the server. The highest threat from this vulnerability is to system availability. Se encontró un fallo en Wildfly afectando a versiones 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final y 21.0.0.Final. • https://bugzilla.redhat.com/show_bug.cgi?id=1904060 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25640 – wildfly: resource adapter logs plaintext JMS password at warning level on connection error
https://notcve.org/view.php?id=CVE-2020-25640
24 Nov 2020 — A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file. Se detectó un fallo en WildFly versiones anteriores a 21.0.0.Final donde, el adaptador de Recursos registra una contraseña JMS de texto plano en el nivel de advertencia en caso de error de conexión, insertando información confidencial en el archivo de registro A flaw was found in wildfly. JMS passwords are logged by t... • https://bugzilla.redhat.com/show_bug.cgi?id=1881637 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 1CVE-2020-25689 – wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
https://notcve.org/view.php?id=CVE-2020-25689
30 Oct 2020 — A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. Se encontró una fallo de filtrado de memoria en WildFly en todas las versiones hasta 21.0.0.Final, donde el c... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2020-25644 – wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
https://notcve.org/view.php?id=CVE-2020-25644
06 Oct 2020 — A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability. Se encontró un fallo de pérdida de memoria en WildFly OpenSSL en versiones anteriores a 1.1.3.Final, donde se elimina una sesión HTTP. Puede permitir a un atacante causar OOM conllevando a una denegación de servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=1885485 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-10714 – wildfly-elytron: session fixation when using FORM authentication
https://notcve.org/view.php?id=CVE-2020-10714
17 Aug 2020 — A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en versión 1.11.3.Final y anteriores de WildFly Elytron. Cuando se usa la autenticación FORM de WildFly Elytron con un ID de sesión en la URL, un atacante podría llevar a ... • https://bugzilla.redhat.com/show_bug.cgi?id=1825714 • CWE-384: Session Fixation •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10718 – wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API
https://notcve.org/view.php?id=CVE-2020-10718
17 Aug 2020 — A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality. Se encontró un fallo en Wildfly versiones anteriores a wildfly-embedded-13.0.0.Final, donde la API del proceso administrado incorporado presenta una configuración expuesta del Thread Context Cl... • https://bugzilla.redhat.com/show_bug.cgi?id=1828476 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-1748 – Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain
https://notcve.org/view.php?id=CVE-2020-1748
17 Aug 2020 — A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources. Se encontró un fallo en todas las versiones compatibles anteriores a wildfly-elytron-1.6.8.Final-redhat-00001, donde las comprobaciones de la función WildFlySecurityManager son omitidas cuando se usan a... • https://bugzilla.redhat.com/show_bug.cgi?id=1807707 • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10740 – wildfly: unsafe deserialization in Wildfly Enterprise Java Beans
https://notcve.org/view.php?id=CVE-2020-10740
22 Jun 2020 — A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly. Se encontró una vulnerabilidad en Wildfly en versiones anteriores a 20.0.0.Final, donde es posible un ataque de deserialización remota en Enterprise Application Beans (EJB) debido a una falta de capacidades de validación y filtrado en wildfly A flaw was found in Wildfly. A remote deseriali... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1719 – Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain
https://notcve.org/view.php?id=CVE-2020-1719
11 May 2020 — A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected. Se ha encontrado un fallo en wildfly. • https://bugzilla.redhat.com/show_bug.cgi?id=1796617 • CWE-270: Privilege Context Switching Error •