CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0CVE-2020-1757 – undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass
https://notcve.org/view.php?id=CVE-2020-1757
21 Apr 2020 — A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass. Se encontró un fallo en todas las versiones undertow-2.x.x SP1 anteriores a undertow-2.0.30.SP1, en todas las versiones undertow-1.x.x y versiones undertow-2.x.x ante... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1757 • CWE-20: Improper Input Validation CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0CVE-2019-14887 – wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
https://notcve.org/view.php?id=CVE-2019-14887
12 Mar 2020 — A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. Se detectó un fallo cuando un proveedor de seguridad OpenSSL es usa... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887 • CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2019-14888 – undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS
https://notcve.org/view.php?id=CVE-2019-14888
20 Jan 2020 — A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. Se detectó una vulnerabilidad en el servidor HTTP Undertow en versiones anteriores a 2.0.28.SP1, al escuchar sobre HTTPS. Un atacante puede apuntar al puerto HTTPS para llevar a cabo una Denegación de Servicio (DOS) para hacer que el servicio no esté disponible en SSL. A vulnerability ... • https://access.redhat.com/errata/RHSA-2020:0729 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2019-14892 – jackson-databind: Serialization gadgets in classes of the commons-configuration package
https://notcve.org/view.php?id=CVE-2019-14892
20 Jan 2020 — A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code. Se detectó un fallo en jackson-databind en las versiones anteriores a 2.9.10, 2.8.11.5 y 2.6.7.3, donde permitiría una deserialización polimórfica de un objeto malicioso utilizando las clases JNDI de commons-configuration 1 y 2. Un atacante... • https://access.redhat.com/errata/RHSA-2020:0729 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 1CVE-2019-10172 – jackson-mapper-asl: XML external entity similar to CVE-2016-3720
https://notcve.org/view.php?id=CVE-2019-10172
18 Nov 2019 — A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. Se detectó un fallo en las bibliotecas org.codehaus.jackson:jackson-mapper-asl:1.9.x. Las vulnerabilidades de tipo XML external entity similares a CVE-2016-3720, también afectan a las bibliotecas codehaus jackson-mapper-asl pero en diferentes clases. A flaw was found in org.codehaus.jackson:jackson-... • https://github.com/rusakovichma/CVE-2019-10172 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0CVE-2019-10174 – infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods
https://notcve.org/view.php?id=CVE-2019-10174
18 Nov 2019 — A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. Se encontró una vulnerabilidad en Infinispan, de modo que el método invokeAccessibly de la clase pública ReflectionUtil permite que cualquier clase de aplicación invoque métodos privados en cualquier clase co... • https://access.redhat.com/errata/RHSA-2020:0481 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 6.5EPSS: 1%CPEs: 429EXPL: 0CVE-2019-10219 – hibernate-validator: safeHTML validator allows XSS
https://notcve.org/view.php?id=CVE-2019-10219
08 Nov 2019 — A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. Una vulnerabilidad fue encontrada en Hibernate-Validator. La anotación del validador SafeHtml no puede sanear apropiadamente las cargas útiles que consisten en código potencialmente malicioso en los comentarios e instrucciones HTML. • https://access.redhat.com/errata/RHSA-2020:0159 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 2EXPL: 0CVE-2019-14860 – syndesis: default CORS configuration is allow all
https://notcve.org/view.php?id=CVE-2019-14860
30 Oct 2019 — It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information. Se detectó que la configuración de Syndesis para Cross-Origin Resource Sharing fue establecida para permitir todos los orígenes. Un atacante podría utilizar esta falta de protección para conducir ataques de phishing y acceder aún más a información no autorizada. This release of Red H... • https://access.redhat.com/errata/RHSA-2019:3892 • CWE-942: Permissive Cross-domain Policy with Untrusted Domains •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2019-14820 – keycloak: adapter endpoints are exposed via arbitrary URLs
https://notcve.org/view.php?id=CVE-2019-14820
14 Oct 2019 — It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. Se descubrió que keycloak versiones anteriores la versión 8.0.0, expone los endpoints del adaptador interno en org.keycloak.constants.AdapterConstants, que pueden ser invocadas por medio de una URL especialmente diseñada. Esta vulnerabilidad podría permiti... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 21EXPL: 0CVE-2019-10212 – undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files
https://notcve.org/view.php?id=CVE-2019-10212
30 Sep 2019 — A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. Se encontró un fallo en, todas las versiones por debajo de la 2.0.20, en el registro DEBUG de Undertow para io.undertow.request.security. Si está habilitado, un atacante podría abusar de este fallo para conseguir las credenciales del usuario de los archivos de registro. A flaw was found in the Undertow DEBUG log ... • https://access.redhat.com/errata/RHSA-2019:2998 • CWE-532: Insertion of Sensitive Information into Log File •