Page 20 of 162 results (0.015 seconds)

CVSS: 4.9EPSS: 0%CPEs: 8EXPL: 0

CVE-2014-7849 – Management: Limited RBAC authorization bypass

https://notcve.org/view.php?id=CVE-2014-7849

The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role. La implementación Role Based Access Control (RBAC) en JBoss Enterprise Application Platform (EAP) 6.2.0 hasta 6.3.2 no verifica correctamente las condiciones de la autorización, lo que permite a usuarios remotos autenticados añadir, modificar y desdefinir atributos de otra manera restringidos mediante el aprovechamiento del rol de mantenador (Maintainer). It was discovered that the Role Based Access Control (RBAC) implementation did not sufficiently verify all authorization conditions that are required by the Maintainer role to perform certain administrative actions. An authenticated user with the Maintainer role could use this flaw to add, modify, or undefine a limited set of attributes and their values, which otherwise cannot be written to. • http://rhn.redhat.com/errata/RHSA-2015-0215.html http://rhn.redhat.com/errata/RHSA-2015-0216.html http://rhn.redhat.com/errata/RHSA-2015-0217.html http://rhn.redhat.com/errata/RHSA-2015-0218.html http://rhn.redhat.com/errata/RHSA-2015-0920.html http://www.securitytracker.com/id/1031741 https://bugzilla.redhat.com/show_bug.cgi?id=1165170 https://exchange.xforce.ibmcloud.com/vulnerabilities/100890 https://access.redhat.com/security/cve/CVE-2014-7849 • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •

CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0

CVE-2014-3464 – WS: Incomplete fix for CVE-2013-2133

https://notcve.org/view.php?id=CVE-2014-3464

The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133. La implementación del manejador de la invocación EJB en Red Hat JBossWS, utilizada en JBoss Enterprise Application Platform (EAP) 6.2.0 y 6.3.0, no aplica debidamente las restricciones de nivel de método para mensajes salientes, lo que permite a usuarios remotos autenticados acceder a manejadores JAX-WS de otra manera restringidos mediante el aprovechamiento de permisos para la clase EJB. NOTA: esta vulnerabilidad existe debido a una solución incompleta para el CVE-2013-2133. It was found that the fix for CVE-2013-2133 was incomplete: the JAX-WS handlers were being executed for outbound messages even when authorization had failed. • http://rhn.redhat.com/errata/RHSA-2014-1019.html http://rhn.redhat.com/errata/RHSA-2014-1020.html http://rhn.redhat.com/errata/RHSA-2014-1021.html https://bugzilla.redhat.com/show_bug.cgi?id=1102317 https://exchange.xforce.ibmcloud.com/vulnerabilities/95409 https://access.redhat.com/security/cve/CVE-2014-3464 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

CVE-2014-3472 – Security: Invalid EJB caller role check implementation

https://notcve.org/view.php?id=CVE-2014-3472

The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors. La función isCallerInRole en SimpleSecurityManager en JBoss Application Server (AS) 7, utilizada en Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, no comprueba debidamente los roles de llamadores, lo que permite a usuarios remotos autenticados evadir las restricciones de acceso a través de vectores no especificados. It was found that the isCallerInRole() method of the SimpleSecurityManager did not correctly check caller roles. A remote, authenticated attacker could use this flaw to circumvent the caller check in applications that use black list access control based on caller roles. • http://rhn.redhat.com/errata/RHSA-2014-1019.html http://rhn.redhat.com/errata/RHSA-2014-1020.html http://rhn.redhat.com/errata/RHSA-2014-1021.html http://rhn.redhat.com/errata/RHSA-2015-0720.html http://www.securityfocus.com/bid/69094 https://bugzilla.redhat.com/show_bug.cgi?id=1103815 https://exchange.xforce.ibmcloud.com/vulnerabilities/95170 https://access.redhat.com/security/cve/CVE-2014-3472 • CWE-184: Incomplete List of Disallowed Inputs CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0

CVE-2014-3490 – RESTEasy: XXE via parameter entities

https://notcve.org/view.php?id=CVE-2014-3490

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818. RESTEasy 2.3.1 anterior a 2.3.8.SP2 y 3.x anterior a 3.0.9, utilizado en Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, no deshabilita entidades externas cuando el parámetro resteasy.document.expand.entity.references está configurado en falso, lo que permite a atacantes remotos leer ficheros arbitrarios y tener otro impacto no especificado a través de vectores no especificados, relacionado con un problema de entidad externa XML (XXE). NOTA: este vulnerabilidad existe debido a una solución incompleta para el CVE-2012-0818. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. • http://rhn.redhat.com/errata/RHSA-2014-1011.html http://rhn.redhat.com/errata/RHSA-2014-1039.html http://rhn.redhat.com/errata/RHSA-2014-1040.html http://rhn.redhat.com/errata/RHSA-2014-1298.html http://rhn.redhat.com/errata/RHSA-2015-0125.html http://rhn.redhat.com/errata/RHSA-2015-0675.html http://rhn.redhat.com/errata/RHSA-2015-0720.html http://rhn.redhat.com/errata/RHSA-2015-0765.html http://secunia.com/advisories/60019 http://www.oracle.com/technet • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 5.0EPSS: 45%CPEs: 8EXPL: 0

CVE-2014-0118 – httpd: mod_deflate denial of service

https://notcve.org/view.php?id=CVE-2014-0118

The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size. La función deflate_in_filter en mod_deflate.c en el módulo mod_deflate en Apache HTTP Server anterior a 2.4.10, cuando la descompresión del cuerpo de una solicitud está habilitada, permite a atacantes remotos causar una denegación de servicio (consumo de recursos) a través de datos de solicitudes manipulados que descomprime a un tamaño mucho más grande. A denial of service flaw was found in the way httpd's mod_deflate module handled request body decompression (configured via the "DEFLATE" input filter). A remote attacker able to send a request whose body would be decompressed could use this flaw to consume an excessive amount of system memory and CPU on the target system. • http://advisories.mageia.org/MGASA-2014-0304.html http://advisories.mageia.org/MGASA-2014-0305.html http://httpd.apache.org/security/vulnerabilities_24.html http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html http://marc.info/?l=bugtraq&m=143403519711434&w=2 http://marc.info/?l=bugtraq&m=143748090628601&w=2 http://marc.info/?l=bugtraq&m=144050155601375&w=2 http://marc.info/?l=bugtraq&m=144493176821532&w=2 http://rhn.redhat.com/errata/RHSA-2014 • CWE-400: Uncontrolled Resource Consumption •