CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3586 – CLI: Insecure default permissions on history file
https://notcve.org/view.php?id=CVE-2014-3586
17 Apr 2015 — The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified vectors. La configuración por defecto para la interfaz de la línea de comandos en Red Hat Enterprise Application Platform anterior a 6.4.0 y WildFly (anteriormente JBoss Application Server) utiliza permisos débiles para .jboss-cli-h... • http://rhn.redhat.com/errata/RHSA-2015-0846.html • CWE-264: Permissions, Privileges, and Access Controls CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-7827 – Security: Wrong security context loaded when using SAML2 STS Login Module
https://notcve.org/view.php?id=CVE-2014-7827
12 Feb 2015 — The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain. La implementación org.jboss.security.plugins.mapping.JBossMappingManager en JBoss Security en Red Hat JB... • http://rhn.redhat.com/errata/RHSA-2015-0215.html • CWE-264: Permissions, Privileges, and Access Controls CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2014-7853 – Subsystem: Information disclosure via incorrect sensitivity classification of attribute
https://notcve.org/view.php?id=CVE-2014-7853
12 Feb 2015 — The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute. El subsistema JBoss Application Server (WildFly) JacORB en Red Hat JBoss Enterprise Application Platform (EAP) anterior a 6.3.3 no asigna correctamente la c... • http://rhn.redhat.com/errata/RHSA-2015-0215.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 50%CPEs: 8EXPL: 0CVE-2014-0118 – httpd: mod_deflate denial of service
https://notcve.org/view.php?id=CVE-2014-0118
20 Jul 2014 — The deflate_in_filter function in mod_deflate.c in the mod_deflate module in the Apache HTTP Server before 2.4.10, when request body decompression is enabled, allows remote attackers to cause a denial of service (resource consumption) via crafted request data that decompresses to a much larger size. La función deflate_in_filter en mod_deflate.c en el módulo mod_deflate en Apache HTTP Server anterior a 2.4.10, cuando la descompresión del cuerpo de una solicitud está habilitada, permite a atacantes remotos ca... • http://advisories.mageia.org/MGASA-2014-0304.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 88%CPEs: 18EXPL: 5CVE-2014-0226 – Apache httpd mod_status Heap Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2014-0226
16 Jul 2014 — Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. Condición de carrera en el módulo mod_status en Apache HTTP Ser... • https://packetstorm.news/files/id/127546 • CWE-122: Heap-based Buffer Overflow CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 2%CPEs: 2EXPL: 0CVE-2014-3530 – PicketLink: XXE via insecure DocumentBuilderFactory usage
https://notcve.org/view.php?id=CVE-2014-3530
15 Jul 2014 — The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. El método org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory en PicketLink, utilizado en Red Hat JBoss Enterprise Application Pl... • http://rhn.redhat.com/errata/RHSA-2014-0883.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 1%CPEs: 7EXPL: 0CVE-2014-3481 – JAX-RS: Information disclosure via XML eXternal Entity (XXE)
https://notcve.org/view.php?id=CVE-2014-3481
26 Jun 2014 — org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor in Red Hat JBoss Enterprise Application Platform (JEAP) before 6.2.4 enables entity expansion, which allows remote attackers to read arbitrary files via unspecified vectors, related to an XML External Entity (XXE) issue. org.jboss.as.jaxrs.deployment.JaxrsIntegrationProcessor en Red Hat JBoss Enterprise Application Platform (JEAP) anterior a 6.2.4 habilita la expansión de entidad, lo que permite a atacantes remotos leer ficheros arbitrarios a través de... • http://rhn.redhat.com/errata/RHSA-2014-0797.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 1%CPEs: 23EXPL: 0CVE-2014-0034 – CXF: The SecurityTokenService accepts certain invalid SAML Tokens as valid
https://notcve.org/view.php?id=CVE-2014-0034
26 Jun 2014 — The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token. SecurityTokenService (STS) en Apache CXF anterior a 2.6.12 y 2.7.x anterior a 2.7.9 no valida debidamente los tokens SAML cuando el cacheo está habilitado, lo que permite a atacantes remotos ganar acceso a través de un token SAML inválido. It was found that the SecurityTokenService (STS), prov... • http://cxf.apache.org/security-advisories.data/CVE-2014-0034.txt.asc • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 4.3EPSS: 1%CPEs: 25EXPL: 0CVE-2014-0035 – CXF: UsernameTokens are sent in plaintext with a Symmetric EncryptBeforeSigning policy
https://notcve.org/view.php?id=CVE-2014-0035
26 Jun 2014 — The SymmetricBinding in Apache CXF before 2.6.13 and 2.7.x before 2.7.10, when EncryptBeforeSigning is enabled and the UsernameToken policy is set to an EncryptedSupportingToken, transmits the UsernameToken in cleartext, which allows remote attackers to obtain sensitive information by sniffing the network. SymmetricBinding en Apache CXF anterior a 2.6.13 y 2.7.x anterior a 2.7.10, cuando EncryptBeforeSigning está habilitado y la política UsernameToken está configurada en un EncryptedSupportingToken, transmi... • http://cxf.apache.org/security-advisories.data/CVE-2014-0035.txt.asc • CWE-310: Cryptographic Issues CWE-522: Insufficiently Protected Credentials •
CVSS: 7.4EPSS: 89%CPEs: 28EXPL: 7CVE-2014-0224 – openssl: SSL/TLS MITM vulnerability
https://notcve.org/view.php?id=CVE-2014-0224
05 Jun 2014 — OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. OpenSSL anterior a 0.9.8za, 1.0.0 anterior a 1.0.0m y 1.0.1 anterior a 1.0.1h no restringe debidamente el proce... • https://packetstorm.news/files/id/180961 • CWE-326: Inadequate Encryption Strength CWE-841: Improper Enforcement of Behavioral Workflow •