CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-1278 – WildFly: possible information disclosure
https://notcve.org/view.php?id=CVE-2022-1278
13 Sep 2022 — A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. Se ha encontrado un fallo en WildFly, en el que un atacante puede visualizar los nombres de los despliegues, los endpoints y cualquier otro dato que pueda contener la carga útil de rastreo A flaw was found in WildFly. This flaw allows an attacker to see deployment names, endpoints, and any other data the trace payload may contain. AMQ Broker is a high-performance messaging im... • https://bugzilla.redhat.com/show_bug.cgi?id=2073401 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3503
https://notcve.org/view.php?id=CVE-2021-3503
18 Apr 2022 — A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality. Se ha encontrado un fallo en Wildfly en el que unas restricciones RBAC insuficientes pueden conllevar a una exposición de datos de métricas. La mayor amenaza de esta vulnerabilidad es la confidencialidad. • https://access.redhat.com/security/cve/CVE-2021-3503 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-3644 – wildfly-core: Invalid Sensitivity Classification of Vault Expression
https://notcve.org/view.php?id=CVE-2021-3644
08 Sep 2021 — A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity. Se ha encontrado un fallo en wildfly-core en todas las versiones. Si una expresión de bóv... • https://access.redhat.com/security/cve/CVE-2021-3644 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.8EPSS: 0%CPEs: 9EXPL: 0CVE-2021-3536 – wildfly: XSS via admin console when creating roles in domain mode
https://notcve.org/view.php?id=CVE-2021-3536
20 May 2021 — A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. Se encontró un fallo en Wildfly en versiones anteriores a 23.0.2.Final, mientras se crea un nuevo rol en el modo de dominio por medio de la consola de administración, es posible agregar una carga útil en el campo name, conllevando a una vulnerabilidad de tipo XSS. Esto af... • https://bugzilla.redhat.com/show_bug.cgi?id=1948001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25640 – wildfly: resource adapter logs plaintext JMS password at warning level on connection error
https://notcve.org/view.php?id=CVE-2020-25640
24 Nov 2020 — A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file. Se detectó un fallo en WildFly versiones anteriores a 21.0.0.Final donde, el adaptador de Recursos registra una contraseña JMS de texto plano en el nivel de advertencia en caso de error de conexión, insertando información confidencial en el archivo de registro A flaw was found in wildfly. JMS passwords are logged by t... • https://bugzilla.redhat.com/show_bug.cgi?id=1881637 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 1CVE-2020-25689 – wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
https://notcve.org/view.php?id=CVE-2020-25689
30 Oct 2020 — A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. Se encontró una fallo de filtrado de memoria en WildFly en todas las versiones hasta 21.0.0.Final, donde el c... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-10718 – wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API
https://notcve.org/view.php?id=CVE-2020-10718
17 Aug 2020 — A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality. Se encontró un fallo en Wildfly versiones anteriores a wildfly-embedded-13.0.0.Final, donde la API del proceso administrado incorporado presenta una configuración expuesta del Thread Context Cl... • https://bugzilla.redhat.com/show_bug.cgi?id=1828476 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10740 – wildfly: unsafe deserialization in Wildfly Enterprise Java Beans
https://notcve.org/view.php?id=CVE-2020-10740
22 Jun 2020 — A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly. Se encontró una vulnerabilidad en Wildfly en versiones anteriores a 20.0.0.Final, donde es posible un ataque de deserialización remota en Enterprise Application Beans (EJB) debido a una falta de capacidades de validación y filtrado en wildfly A flaw was found in Wildfly. A remote deseriali... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740 • CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1719 – Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain
https://notcve.org/view.php?id=CVE-2020-1719
11 May 2020 — A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected. Se ha encontrado un fallo en wildfly. • https://bugzilla.redhat.com/show_bug.cgi?id=1796617 • CWE-270: Privilege Context Switching Error •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2019-3894 – wildfly: wrong SecurityIdentity for EE concurrency threads that are reused
https://notcve.org/view.php?id=CVE-2019-3894
03 May 2019 — It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing. Se descubrió que ElytronManagedThread del subsistemas Wildfly's Elytron en versiones desde 11 hasta la 16 almacena un SecurityIdentity para ejecutar el hilo. Estos hilos no necesariamente term... • https://access.redhat.com/errata/RHSA-2019:1106 • CWE-358: Improperly Implemented Security Check for Standard •