CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2019-14888 – undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS
https://notcve.org/view.php?id=CVE-2019-14888
20 Jan 2020 — A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. Se detectó una vulnerabilidad en el servidor HTTP Undertow en versiones anteriores a 2.0.28.SP1, al escuchar sobre HTTPS. Un atacante puede apuntar al puerto HTTPS para llevar a cabo una Denegación de Servicio (DOS) para hacer que el servicio no esté disponible en SSL. A vulnerability ... • https://access.redhat.com/errata/RHSA-2020:0729 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2019-14892 – jackson-databind: Serialization gadgets in classes of the commons-configuration package
https://notcve.org/view.php?id=CVE-2019-14892
20 Jan 2020 — A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. Se detectó un fallo en jackson-databind en las versiones anteriores a 2.9.10, 2.8.11.5 y 2.6.7.3, donde permitiría una deserialización polimórfica de un objeto malicioso utilizando las clases JNDI de commons-configuration 1 y 2. Un atacante... • https://access.redhat.com/errata/RHSA-2020:0729 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-10158 – infinispan: Session fixation protection broken for Spring Session integration
https://notcve.org/view.php?id=CVE-2019-10158
02 Dec 2019 — A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling. Se encontró un fallo en Infinispan versiones hasta la versión 9.4.14.Final. Una implementación inapropiada de la protección de fijación de sesión en la integración de Spring Session puede resultar en un manejo de sesión incorrecto. Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infin... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10158 • CWE-384: Session Fixation •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0CVE-2019-10174 – infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods
https://notcve.org/view.php?id=CVE-2019-10174
18 Nov 2019 — A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. Se encontró una vulnerabilidad en Infinispan, de modo que el método invokeAccessibly de la clase pública ReflectionUtil permite que cualquier clase de aplicación invoque métodos privados en cualquier clase co... • https://access.redhat.com/errata/RHSA-2020:0481 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 6.5EPSS: 1%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
08 Nov 2019 — A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.2EPSS: 0%CPEs: 17EXPL: 0CVE-2019-14838 – wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default
https://notcve.org/view.php?id=CVE-2019-14838
14 Oct 2019 — A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server Se detectó un error en wildfly-core en versiones anteriores a la 7.2.5.GA. Los usuarios de administración con funciones de monitor, auditor e implementador no deberían poder modificar el estado de tiempo de ejecución del servidor It was found that Wildfly users had default user permissions set incorrectly. A malicious user could use t... • https://access.redhat.com/errata/RHSA-2019:3082 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 0CVE-2019-10212 – undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files
https://notcve.org/view.php?id=CVE-2019-10212
30 Sep 2019 — A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. Se encontró un fallo en, todas las versiones por debajo de la 2.0.20, en el registro DEBUG de Undertow para io.undertow.request.security. Si está habilitado, un atacante podría abusar de este fallo para conseguir las credenciales del usuario de los archivos de registro. A flaw was found in the Undertow DEBUG log ... • https://access.redhat.com/errata/RHSA-2019:2998 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 1%CPEs: 28EXPL: 0CVE-2019-10184 – undertow: Information leak in requests for directories without trailing slashes
https://notcve.org/view.php?id=CVE-2019-10184
25 Jul 2019 — undertow before version 2.0.23.Final is vulnerable to an information leak issue. Web apps may have their directory structures predicted through requests without trailing slashes via the api. Undertow en versiones anteriores a la 2.0.23.Final es vulnerable a un problema de fuga de información. Las aplicaciones web pueden tener sus estructuras de directorio predecibles a través de solicitudes sin barras finales mediante la API. Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, ... • https://access.redhat.com/errata/RHSA-2019:2935 • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 9EXPL: 0CVE-2019-3888 – undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed
https://notcve.org/view.php?id=CVE-2019-3888
10 Jun 2019 — A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange) Se encontró una vulnerabilidad en servidor web de Undertow versión anterior a 2.0.21. Una exposición de información de las credenciales de texto plano por medio de los archivos de registro porque Connectors.executeRoo... • http://www.securityfocus.com/bid/108739 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2018-1131 – infinispan: deserialization of data in XML and JSON transcoders
https://notcve.org/view.php?id=CVE-2018-1131
15 May 2018 — Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected. Infinispan permite la deserialización incorrecta de datos fiables mediante transcodificadore... • http://www.securityfocus.com/bid/104218 • CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data CWE-502: Deserialization of Untrusted Data •