CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2014-3481 – JAX-RS: Information disclosure via XML eXternal Entity (XXE)
https://notcve.org/view.php?id=CVE-2014-3481
26 Jun 2014 — org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary files via unspecified vectors, related to an XML External Entity (XXE) issue. org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor en Red Hat JBoss Enterprise Application Platform (JEAP) anterior a 6.2.4 habilita la expansión de entidad, lo que permite a atacantes remotos leer ficheros arbitrarios a través de... • http://rhn.redhat.com/errata/RHSA-2014-0797.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0059 – JBossSX/PicketBox: World readable audit.log file
https://notcve.org/view.php?id=CVE-2014-0059
28 May 2014 — JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file. JBoss SX y PicketBox, como se usan en Red Hat JBoss Enterprise Application Platform (EAP) en versiones anteriores a 6.2.3, utilizan permisos de lectura universal en audit.log, lo que permite a usuarios locales obtener información sensible leyendo este archivo. It was found that the secu... • http://rhn.redhat.com/errata/RHSA-2014-0563.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 17EXPL: 0CVE-2013-2133 – WS: EJB3 role restrictions are not applied to jaxws handlers
https://notcve.org/view.php?id=CVE-2013-2133
05 Dec 2013 — The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. La implementación del manejador de invocación EJB en Red Hat JBossWS, como se utiliza en JBoss Enterprise Application Platform (EAP) anteriores a 6.2.0, no hace cum... • http://rhn.redhat.com/errata/RHSA-2013-1784.html • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 29EXPL: 0CVE-2013-4112 – JGroups: Authentication via cached credentials
https://notcve.org/view.php?id=CVE-2013-4112
04 Sep 2013 — The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9, and 3.3.x before 3.3.3 allows remote attackers to obtain sensitive information (diagnostic information) and execute arbitrary code by reusing valid credentials. El DiagnosticsHandler en JGroup 3.0.x, 3.1.x, 3.2.x anterior a 3.2.9 , y 3.3.x anterior a 3.3.3 permite a atacantes remotos obtener información sensible (información de disgnósticos) y ejecutar codigo arbitrario reutilizando credenciales válidas Red Hat JBoss Data Grid is a distribut... • http://rhn.redhat.com/errata/RHSA-2013-1207.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.3EPSS: 0%CPEs: 13EXPL: 0CVE-2013-1921 – PicketBox: Insecure storage of masked passwords
https://notcve.org/view.php?id=CVE-2013-1921
04 Sep 2013 — PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. PicketBox, utilizado en Red Hat JBoss Enterprise Application Platform anteriores a 6.1.1, permite a un usuario local obtener la clave de cifrado de administrador leyendo el archivo de datos Vault. Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 6.2.0 serves as a replac... • http://rhn.redhat.com/errata/RHSA-2013-1207.html • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 34%CPEs: 99EXPL: 2CVE-2013-2165 – RichFaces: Remote code execution due to insecure deserialization
https://notcve.org/view.php?id=CVE-2013-2165
10 Jul 2013 — ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the c... • https://packetstorm.news/files/id/156663 • CWE-264: Permissions, Privileges, and Access Controls CWE-502: Deserialization of Untrusted Data •
CVSS: 9.1EPSS: 0%CPEs: 21EXPL: 0CVE-2012-4572 – JBoss: custom authorization module implementations shared between applications
https://notcve.org/view.php?id=CVE-2012-4572
20 May 2013 — Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control certain applications' authorization decisions via a crafted application. Red Hat JBoss Enterprise Application Platform (EAP) antes de 6.1.0 y JBoss Portal anteriores a 6.1.0 no carga la implementación de un módulo de ... • http://rhn.redhat.com/errata/RHSA-2013-0833.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4549 – AS: EJB authorization succeeds for any role when allowed roles list is empty
https://notcve.org/view.php?id=CVE-2012-4549
19 Dec 2012 — The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. La función processInvocation en org.jboss.as.ejb3.security.AuthorizationInterceptor en JBoss Enterprise Application Platform (tambien conocido como JBoss EAP o JBE... • http://rhn.redhat.com/errata/RHSA-2012-1591.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2011-4610 – JBoss Web remote denial of service when surrogate pair character is placed at buffer boundary
https://notcve.org/view.php?id=CVE-2011-4610
01 Feb 2012 — JBoss Web, as used in Red Hat JBoss Communications Platform before 5.1.3, Enterprise Web Platform before 5.1.2, Enterprise Application Platform before 5.1.2, and other products, allows remote attackers to cause a denial of service (infinite loop) via vectors related to a crafted UTF-8 and a "surrogate pair character" that is "at the boundary of an internal buffer." JBoss Web, utilizado en Red Hat JBoss Communications Platform anterior a 5.1.3, Enterprise Web Platform anterior a 5.1.2, Enterprise Application... • http://rhn.redhat.com/errata/RHSA-2012-0074.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.8EPSS: 0%CPEs: 26EXPL: 1CVE-2011-4085 – Invoker servlets authentication bypass (HTTP verb tampering)
https://notcve.org/view.php?id=CVE-2011-4085
17 Nov 2011 — The servlets invoked by httpha-invoker in JBoss Enterprise Application Platform before 5.1.2, SOA Platform before 5.2.0, BRMS Platform before 5.3.0, and Portal Platform before 4.3 CP07 perform access control only for the GET and POST methods, which allow remote attackers to bypass authentication by sending a request with a different method. NOTE: this vulnerability exists because of a CVE-2010-0738 regression. Los servlets invocados por httpha-invoker en JBoss Enterprise Application Platform anterior a v5.1... • https://packetstorm.news/files/id/107660 • CWE-287: Improper Authentication •