CVSS: 7.8EPSS: 0%CPEs: 10EXPL: 0CVE-2021-3717 – wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users
https://notcve.org/view.php?id=CVE-2021-3717
A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0. Se ha encontrado un fallo en Wildfly. • https://bugzilla.redhat.com/show_bug.cgi?id=1991305 https://security.netapp.com/advisory/ntap-20220804-0002 https://access.redhat.com/security/cve/CVE-2021-3717 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.9EPSS: 0%CPEs: 18EXPL: 0CVE-2021-3629 – undertow: potential security issue in flow control over HTTP/2 may lead to DOS
https://notcve.org/view.php?id=CVE-2021-3629
A flaw was found in Undertow. A potential security issue in flow control handling by the browser over http/2 may potentially cause overhead or a denial of service in the server. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.40.Final and prior to 2.2.11.Final. Se ha encontrado un fallo en Undertow. • https://bugzilla.redhat.com/show_bug.cgi?id=1977362 https://security.netapp.com/advisory/ntap-20220729-0008 https://access.redhat.com/security/cve/CVE-2021-3629 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-3644 – wildfly-core: Invalid Sensitivity Classification of Vault Expression
https://notcve.org/view.php?id=CVE-2021-3644
A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity. Se ha encontrado un fallo en wildfly-core en todas las versiones. Si una expresión de bóveda está en la forma de un solo atributo que contiene múltiples expresiones, un usuario al que le ha sido concedido acceso a la interfaz de administración puede potencialmente acceder a una expresión de bóveda a la que no debería poder acceder y posiblemente recuperar el elemento que estaba almacenado en la bóveda. • https://access.redhat.com/security/cve/CVE-2021-3644 https://bugzilla.redhat.com/show_bug.cgi?id=1976052 https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714 https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b https://github.com/wildfly/wildfly-core/pull/4668 https://issues.redhat.com/browse/WFCORE-5511 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 15EXPL: 0CVE-2021-3642 – wildfly-elytron: possible timing attack in ScramServer
https://notcve.org/view.php?id=CVE-2021-3642
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. Se ha detectado un fallo en Wildfly Elytron en versiones anteriores a 1.10.14.Final, en versiones anteriores a la 1.15.5.Final y en versiones anteriores a la 1.16.1.Final donde ScramServer puede ser susceptible a Timing Attack si está habilitado. La mayor amenaza de esta vulnerabilidad es la confidencialidad. A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. • https://bugzilla.redhat.com/show_bug.cgi?id=1981407 https://access.redhat.com/security/cve/CVE-2021-3642 • CWE-203: Observable Discrepancy •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-14317
https://notcve.org/view.php?id=CVE-2020-14317
It was found that the issue for security flaw CVE-2019-3805 appeared again in a further version of JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introducing regression. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root. Se ha detectado que el problema del fallo de seguridad CVE-2019-3805 ha vuelto a aparecer en otra versión de JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introduciendo una regresión. Un atacante podría explotar esto al modificar el archivo PID en el directorio /var/run/jboss-eap/ permitiendo que el script init.d termine cualquier proceso como root • https://bugzilla.redhat.com/show_bug.cgi?id=1854251 • CWE-364: Signal Handler Race Condition •