CVSS: 7.5EPSS: 1%CPEs: 4EXPL: 0CVE-2011-4610 – JBoss Web remote denial of service when surrogate pair character is placed at buffer boundary
https://notcve.org/view.php?id=CVE-2011-4610
10 Feb 2014 — JBoss Web, as used in Red Hat JBoss Communications Platform before 5.1.3, Enterprise Web Platform before 5.1.2, Enterprise Application Platform before 5.1.2, and other products, allows remote attackers to cause a denial of service (infinite loop) via vectors related to a crafted UTF-8 and a "surrogate pair character" that is "at the boundary of an internal buffer." JBoss Web, utilizado en Red Hat JBoss Communications Platform anterior a 5.1.3, Enterprise Web Platform anterior a 5.1.2, Enterprise Application... • http://rhn.redhat.com/errata/RHSA-2012-0074.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.5EPSS: 0%CPEs: 17EXPL: 0CVE-2013-2133 – WS: EJB3 role restrictions are not applied to jaxws handlers
https://notcve.org/view.php?id=CVE-2013-2133
05 Dec 2013 — The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) before 6.2.0, does not properly enforce the method level restrictions for JAX-WS Service endpoints, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. La implementación del manejador de invocación EJB en Red Hat JBossWS, como se utiliza en JBoss Enterprise Application Platform (EAP) anteriores a 6.2.0, no hace cum... • http://rhn.redhat.com/errata/RHSA-2013-1784.html • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 1%CPEs: 6EXPL: 0CVE-2013-4210 – Remoting: DoS by file descriptor exhaustion
https://notcve.org/view.php?id=CVE-2013-4210
30 Sep 2013 — The org.jboss.remoting.transport.socket.ServerThread class in Red Hat JBoss Remoting for Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, and other products allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. La clase org.jboss.remoting.transport.socket.ServerThread en Red Hat JBoss Remoting para Red Hat JBoss SOA Platform 5.3.1 GA, Web Platform 5.2.0, Enterprise Application Platform 5.2.0, y otros product... • http://rhn.redhat.com/errata/RHSA-2013-1369.html •
CVSS: 3.3EPSS: 0%CPEs: 13EXPL: 0CVE-2013-1921 – PicketBox: Insecure storage of masked passwords
https://notcve.org/view.php?id=CVE-2013-1921
04 Sep 2013 — PicketBox, as used in Red Hat JBoss Enterprise Application Platform before 6.1.1, allows local users to obtain the admin encryption key by reading the Vault data file. PicketBox, utilizado en Red Hat JBoss Enterprise Application Platform anteriores a 6.1.1, permite a un usuario local obtener la clave de cifrado de administrador leyendo el archivo de datos Vault. Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 6.2.0 serves as a replac... • http://rhn.redhat.com/errata/RHSA-2013-1207.html • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 1%CPEs: 17EXPL: 0CVE-2011-1483 – JBossWS remote Denial of Service
https://notcve.org/view.php?id=CVE-2011-1483
25 Jul 2013 — wsf/common/DOMUtils.java in JBossWS Native in Red Hat JBoss Enterprise Application Platform 4.2.0.CP09, 4.3, and 5.1.1; JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.1; JBoss Enterprise SOA Platform 4.2.CP05, 4.3.CP05, and 5.1.0; JBoss Communications Platform 1.2.11 and 5.1.1; JBoss Enterprise BRMS Platform 5.1.0; and JBoss Enterprise Web Platform 5.1.1 does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via ... • http://source.jboss.org/changelog/JBossWS/?cs=13996 •
CVSS: 7.5EPSS: 34%CPEs: 99EXPL: 2CVE-2013-2165 – RichFaces: Remote code execution due to insecure deserialization
https://notcve.org/view.php?id=CVE-2013-2165
10 Jul 2013 — ResourceBuilderImpl.java in the RichFaces 3.x through 5.x implementation in Red Hat JBoss Web Framework Kit before 2.3.0, Red Hat JBoss Web Platform through 5.2.0, Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10 and 5.x through 5.2.0, Red Hat JBoss BRMS through 5.3.1, Red Hat JBoss SOA Platform through 4.3.0 CP05 and 5.x through 5.3.1, Red Hat JBoss Portal through 4.3 CP07 and 5.x through 5.2.2, and Red Hat JBoss Operations Network through 2.4.2 and 3.x through 3.1.2 does not restrict the c... • https://packetstorm.news/files/id/156663 • CWE-264: Permissions, Privileges, and Access Controls CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2011-2487 – jbossws: Prone to Bleichenbacher attack against to be distributed symmetric key
https://notcve.org/view.php?id=CVE-2011-2487
18 Jun 2013 — The implementations of PKCS#1 v1.5 key transport mechanism for XMLEncryption in JBossWS and Apache WSS4J before 1.6.5 is susceptible to a Bleichenbacher attack. Las implementaciones del mecanismo de transporte de claves PKCS#1 versión v1.5 para XMLEncryption en JBossWS y Apache WSS4J versiones anteriores a 1.6.5, son susceptibles a un ataque de tipo Bleichenbacher A flaw was found in JBoss web services where the services used a weak symmetric encryption protocol, PKCS#1 v1.5. An attacker could use this weak... • http://cxf.apache.org/note-on-cve-2011-2487.html • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4529 – Web: jsessionid exposed via encoded url when using cookie based session tracking
https://notcve.org/view.php?id=CVE-2012-4529
20 May 2013 — The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a man-in-the-middle attack or (2) by reading a log. El método org.apache.catalina.connector.Response.encodeURL en Red Hat JBoss Web 7.1.x y anteriores, cuando el modo de traceo está fijado a COOKIE, envia el parámetro jsessionid en la URL d... • http://ocpsoft.org/support/topic/session-id-is-appended-as-url-path-parameter-in-very-first-request •
CVSS: 9.1EPSS: 0%CPEs: 21EXPL: 0CVE-2012-4572 – JBoss: custom authorization module implementations shared between applications
https://notcve.org/view.php?id=CVE-2012-4572
20 May 2013 — Red Hat JBoss Enterprise Application Platform (EAP) before 6.1.0 and JBoss Portal before 6.1.0 does not load the implementation of a custom authorization module for a new application when an implementation is already loaded and the modules share class names, which allows local users to control certain applications' authorization decisions via a crafted application. Red Hat JBoss Enterprise Application Platform (EAP) antes de 6.1.0 y JBoss Portal anteriores a 6.1.0 no carga la implementación de un módulo de ... • http://rhn.redhat.com/errata/RHSA-2013-0833.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.8EPSS: 8%CPEs: 26EXPL: 1CVE-2012-5575 – apache-cxf: XML encryption backwards compatibility attacks
https://notcve.org/view.php?id=CVE-2012-5575
20 May 2013 — Apache CXF 2.5.x before 2.5.10, 2.6.x before CXF 2.6.7, and 2.7.x before CXF 2.7.4 does not verify that a specified cryptographic algorithm is allowed by the WS-SecurityPolicy AlgorithmSuite definition before decrypting, which allows remote attackers to force CXF to use weaker cryptographic algorithms than intended and makes it easier to decrypt communications, aka "XML Encryption backwards compatibility attack." Apache CXF en versiones 2.5.x anteriores a la 2.5.10, 2.6.x anteriores a CXF 2.6.7 y 2.7.x ante... • https://github.com/tafamace/CVE-2012-5575 • CWE-310: Cryptographic Issues CWE-327: Use of a Broken or Risky Cryptographic Algorithm •