CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-3464 – WS: Incomplete fix for CVE-2013-2133
https://notcve.org/view.php?id=CVE-2014-3464
19 Aug 2014 — The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133. La implementación del manejador de la invocación EJB en Red Hat JBossWS, utilizada en JB... • http://rhn.redhat.com/errata/RHSA-2014-1019.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 46%CPEs: 8EXPL: 0CVE-2014-0118 – httpd: mod_deflate denial of service
https://notcve.org/view.php?id=CVE-2014-0118
20 Jul 2014 — The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size. La función deflate_in_filter en mod_deflate.c en el módulo mod_deflate en Apache HTTP Server anterior a 2.4.10, cuando la descompresión del cuerpo de una solicitud está habilitada, permite a atacantes remotos ca... • http://advisories.mageia.org/MGASA-2014-0304.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 69%CPEs: 18EXPL: 5CVE-2014-0226 – Apache httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-0226
16 Jul 2014 — Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. Condición de carrera en el módulo mod_status en Apache HTTP Ser... • https://packetstorm.news/files/id/127546 • CWE-122: Heap-based Buffer Overflow CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0CVE-2014-3530 – PicketLink: XXE via insecure DocumentBuilderFactory usage
https://notcve.org/view.php?id=CVE-2014-3530
15 Jul 2014 — The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. El método org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory en PicketLink, utilizado en Red Hat JBoss Enterprise Application Pl... • http://rhn.redhat.com/errata/RHSA-2014-0883.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2014-3481 – JAX-RS: Information disclosure via XML eXternal Entity (XXE)
https://notcve.org/view.php?id=CVE-2014-3481
26 Jun 2014 — org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary files via unspecified vectors, related to an XML External Entity (XXE) issue. org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor en Red Hat JBoss Enterprise Application Platform (JEAP) anterior a 6.2.4 habilita la expansión de entidad, lo que permite a atacantes remotos leer ficheros arbitrarios a través de... • http://rhn.redhat.com/errata/RHSA-2014-0797.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 1%CPEs: 23EXPL: 0CVE-2014-0034 – CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid
https://notcve.org/view.php?id=CVE-2014-0034
26 Jun 2014 — The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token. SecurityTokenService (STS) en Apache CXF anterior a 2.6.12 y 2.7.x anterior a 2.7.9 no valida debidamente los tokens SAML cuando el cacheo está habilitado, lo que permite a atacantes remotos ganar acceso a través de un token SAML inválido. It was found that the SecurityTokenService (STS), prov... • http://cxf.apache.org/security-advisories.data/CVE-2014-0034.txt.asc • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 4.3EPSS: 1%CPEs: 25EXPL: 0CVE-2014-0035 – CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy
https://notcve.org/view.php?id=CVE-2014-0035
26 Jun 2014 — The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network. SymmetricBinding en Apache CXF anterior a 2.6.13 y 2.7.x anterior a 2.7.10, cuando EncryptBeforeSigning está habilitado y la política UsernameToken está configurada en un EncryptedSupportingToken, transmi... • http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.asc • CWE-310: Cryptographic Issues CWE-522: Insufficiently Protected Credentials •
CVSS: 7.4EPSS: 89%CPEs: 28EXPL: 7CVE-2014-0224 – openssl: SSL/TLS MITM vulnerability
https://notcve.org/view.php?id=CVE-2014-0224
05 Jun 2014 — OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. OpenSSL anterior a 0.9.8za, 1.0.0 anterior a 1.0.0m y 1.0.1 anterior a 1.0.1h no restringe debidamente el proce... • https://packetstorm.news/files/id/180961 • CWE-326: Inadequate Encryption Strength CWE-841: Improper Enforcement of Behavioral Workflow •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-0059 – JBossSX/PicketBox: World readable audit.log file
https://notcve.org/view.php?id=CVE-2014-0059
28 May 2014 — JBoss SX and PicketBox, as used in Red Hat JBoss Enterprise Application Platform (EAP) before 6.2.3, use world-readable permissions on audit.log, which allows local users to obtain sensitive information by reading this file. JBoss SX y PicketBox, como se usan en Red Hat JBoss Enterprise Application Platform (EAP) en versiones anteriores a 6.2.3, utilizan permisos de lectura universal en audit.log, lo que permite a usuarios locales obtener información sensible leyendo este archivo. It was found that the secu... • http://rhn.redhat.com/errata/RHSA-2014-0563.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2014-0058 – EAP6: Plain text password logging during security audit
https://notcve.org/view.php?id=CVE-2014-0058
24 Feb 2014 — The security audit functionality in Red Hat JBoss Enterprise Application Platform (EAP) 6.x before 6.2.1 logs request parameters in plaintext, which might allow local users to obtain passwords by reading the log files. La funcionalidad de auditoría de seguridad en Red Hat JBoss Enterprise Application Platform (EAP) 6.x anterior a 6.2.1 registra parámetros de solicitud en texto claro, lo que podría permitir a usuarios locales obtener contraseñas mediante la lectura de los archivos de log. It was found that t... • http://rhn.redhat.com/errata/RHSA-2014-0204.html • CWE-310: Cryptographic Issues •