CVSS: 10.0EPSS: 1%CPEs: 19EXPL: 1CVE-2015-7501 – apache-commons-collections: InvokerTransformer code execution during deserialisation
https://notcve.org/view.php?id=CVE-2015-7501
20 Nov 2015 — Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collect... • https://github.com/ianxtianxt/CVE-2015-7501 • CWE-284: Improper Access Control CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5188 – EAP: CSRF vulnerability in EAP & WildFly Web Console
https://notcve.org/view.php?id=CVE-2015-5188
15 Oct 2015 — Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before 2.0.0.CR9 allows remote attackers to hijack the authentication of administrators for requests that make arbitrary changes to an instance via vectors involving a file upload using a multipart/form-data submission. Vulnerabilidad de CSRF en la Web Console (web-console) en Red Hat Enterprise Application Platform en versio... • http://rhn.redhat.com/errata/RHSA-2015-1904.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5178 – AS/WildFly: missing X-Frame-Options header leading to clickjacking
https://notcve.org/view.php?id=CVE-2015-5178
15 Oct 2015 — The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element. Management Console en Red Hat Enterprise Application Platform en versiones anteriores a 6.4.4 y WildFly (anteriormente JBoss Application Server) no envía una cabecera HTTP X-Frame-Options, lo ... • http://rhn.redhat.com/errata/RHSA-2015-1904.html • CWE-20: Improper Input Validation CWE-254: 7PK - Security Features •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2015-5220 – OOME from EAP 6 http management console
https://notcve.org/view.php?id=CVE-2015-5220
15 Oct 2015 — The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 and WildFly (formerly JBoss Application Server) allows remote attackers to cause a denial of service (memory consumption) via a large request header. Web Console en Red Hat Enterprise Application Platform (EAP) en versiones anteriores a 6.4.4 y WildFly (anteriormente JBoss Application Server) permite a atacantes remotos provocar una denegación de servicio (consumo de la memoria) a través de una cabecera de petición grande. It was ... • http://rhn.redhat.com/errata/RHSA-2015-1904.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3586 – CLI: Insecure default permissions on history file
https://notcve.org/view.php?id=CVE-2014-3586
17 Apr 2015 — The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified vectors. La configuración por defecto para la interfaz de la línea de comandos en Red Hat Enterprise Application Platform anterior a 6.4.0 y WildFly (anteriormente JBoss Application Server) utiliza permisos débiles para .jboss-cli-h... • http://rhn.redhat.com/errata/RHSA-2015-0846.html • CWE-264: Permissions, Privileges, and Access Controls CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2014-0005 – PicketBox/JBossSX: Unauthorized access to and modification of application server configuration and state by application
https://notcve.org/view.php?id=CVE-2014-0005
17 Feb 2015 — PicketBox and JBossSX, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 and JBoss BRMS before 6.0.3 roll up patch 2, allows remote authenticated users to read and modify the application sever configuration and state by deploying a crafted application. PicketBox y JBossSX, utilizado en Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.2 y JBoss BRMS anterior a 6.0.3 roll up patch 2, permite a usuarios remotos autenticados leer y modificar la configuración y estado del servidor d... • http://rhn.redhat.com/errata/RHSA-2014-0343.html • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-7853 – Subsystem: Information disclosure via incorrect sensitivity classification of attribute
https://notcve.org/view.php?id=CVE-2014-7853
12 Feb 2015 — The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute. El subsistema JBoss Application Server (WildFly) JacORB en Red Hat JBoss Enterprise Application Platform (EAP) anterior a 6.3.3 no asigna correctamente la c... • http://rhn.redhat.com/errata/RHSA-2015-0215.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2014-7849 – Management: Limited RBAC authorization bypass
https://notcve.org/view.php?id=CVE-2014-7849
12 Feb 2015 — The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role. La implementación Role Based Access Control (RBAC) en JBoss Enterprise Application Platform (EAP) 6.2.0 hasta 6.3.2 no verifica correctamente las condiciones de la autorización, lo que permite a usuarios re... • http://rhn.redhat.com/errata/RHSA-2015-0215.html • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-7827 – Security: Wrong security context loaded when using SAML2 STS Login Module
https://notcve.org/view.php?id=CVE-2014-7827
12 Feb 2015 — The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain. La implementación org.jboss.security.plugins.mapping.JBossMappingManager en JBoss Security en Red Hat JB... • http://rhn.redhat.com/errata/RHSA-2015-0215.html • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-3464 – WS: Incomplete fix for CVE-2013-2133
https://notcve.org/view.php?id=CVE-2014-3464
19 Aug 2014 — The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133. La implementación del manejador de la invocación EJB en Red Hat JBossWS, utilizada en JB... • http://rhn.redhat.com/errata/RHSA-2014-1019.html • CWE-264: Permissions, Privileges, and Access Controls •