Page 3 of 17 results (0.009 seconds)

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2020-1719 – Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain

https://notcve.org/view.php?id=CVE-2020-1719

A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected. Se ha encontrado un fallo en wildfly. • https://bugzilla.redhat.com/show_bug.cgi?id=1796617 https://access.redhat.com/security/cve/CVE-2020-1719 • CWE-270: Privilege Context Switching Error •

CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0

CVE-2019-14887 – wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use

https://notcve.org/view.php?id=CVE-2019-14887

A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. Se detectó un fallo cuando un proveedor de seguridad OpenSSL es usado con Wildfly, el valor de "enabled-protocols" en la configuración de Wildfly no es respetado. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887 https://issues.redhat.com/browse/JBEAP-17965 https://security.netapp.com/advisory/ntap-20200327-0007 https://access.redhat.com/security/cve/CVE-2019-14887 https://bugzilla.redhat.com/show_bug.cgi?id=1772008 • CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

CVE-2019-3894 – wildfly: wrong SecurityIdentity for EE concurrency threads that are reused

https://notcve.org/view.php?id=CVE-2019-3894

It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing. Se descubrió que ElytronManagedThread del subsistemas Wildfly's Elytron en versiones desde 11 hasta la 16 almacena un SecurityIdentity para ejecutar el hilo. Estos hilos no necesariamente terminan si el tiempo de mantener activos no ha expirado. • https://access.redhat.com/errata/RHSA-2019:1106 https://access.redhat.com/errata/RHSA-2019:1107 https://access.redhat.com/errata/RHSA-2019:1108 https://access.redhat.com/errata/RHSA-2019:1140 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3894 https://security.netapp.com/advisory/ntap-20190517-0004 https://access.redhat.com/security/cve/CVE-2019-3894 https://bugzilla.redhat.com/show_bug.cgi?id=1682108 • CWE-358: Improperly Implemented Security Check for Standard •

CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0

CVE-2019-3805 – wildfly: Race condition on PID file allows for termination of arbitrary processes by local users

https://notcve.org/view.php?id=CVE-2019-3805

A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root. Fue encontrado un fallo en las versiones de wildfly hasta la 16.0.0. Final que permitiría a los usuarios locales capaces de ejecutar el script init.d conllevar a procesos arbitrarios en el sistema. Un atacante podría explotar esto modificando el archivo PID en /var/run/jboss-eap/ permitiendo que el script init.d termine cualquier proceso como root. • https://access.redhat.com/errata/RHSA-2019:1106 https://access.redhat.com/errata/RHSA-2019:1107 https://access.redhat.com/errata/RHSA-2019:1108 https://access.redhat.com/errata/RHSA-2019:1140 https://access.redhat.com/errata/RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2020:0727 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3805 https://security.netapp.com/advisory/ntap-20190517-0004 https://access.redhat.com/security/cve/CVE-2019-3805 https://bugzilla • CWE-269: Improper Privilege Management CWE-364: Signal Handler Race Condition •

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0

CVE-2018-14627 – JBoss/WildFly: iiop does not honour strict transport confidentiality

https://notcve.org/view.php?id=CVE-2018-14627

The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: <transport-config confidentiality="required" trust-in-target="supported"/> El subsistema IIOP OpenJDK en WildFly en versiones anteriores a la 14.0.0 no cumple con al configuración cuando se requiere transporte SSL. Los servidores con versiones anteriores a ésta que estén configurados con las siguientes opciones permiten que los clientes creen conexiones en texto plano: • https://access.redhat.com/errata/RHSA-2018:3527 https://access.redhat.com/errata/RHSA-2018:3528 https://access.redhat.com/errata/RHSA-2018:3529 https://access.redhat.com/errata/RHSA-2018:3595 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627 https://issues.jboss.org/browse/WFLY-9107 https://security.netapp.com/advisory/ntap-20181221-0002 https://access.redhat.com/security/cve/CVE-2018-14627 https://bugzilla.redhat.com/show_bug.cgi?id=1624664 • CWE-319: Cleartext Transmission of Sensitive Information •