CVE-2022-1278 – WildFly: possible information disclosure
https://notcve.org/view.php?id=CVE-2022-1278
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. Se ha encontrado un fallo en WildFly, en el que un atacante puede visualizar los nombres de los despliegues, los endpoints y cualquier otro dato que pueda contener la carga útil de rastreo A flaw was found in WildFly. This flaw allows an attacker to see deployment names, endpoints, and any other data the trace payload may contain. • https://bugzilla.redhat.com/show_bug.cgi?id=2073401 https://access.redhat.com/security/cve/CVE-2022-1278 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVE-2021-3503
https://notcve.org/view.php?id=CVE-2021-3503
A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality. Se ha encontrado un fallo en Wildfly en el que unas restricciones RBAC insuficientes pueden conllevar a una exposición de datos de métricas. La mayor amenaza de esta vulnerabilidad es la confidencialidad. • https://access.redhat.com/security/cve/CVE-2021-3503 https://bugzilla.redhat.com/show_bug.cgi?id=1942693 https://github.com/advisories/GHSA-c4r5-xvgw-2942 https://github.com/wildfly/wildfly/pull/14136 https://issues.redhat.com/browse/WFLY-11933 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2021-3536 – wildfly: XSS via admin console when creating roles in domain mode
https://notcve.org/view.php?id=CVE-2021-3536
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. Se encontró un fallo en Wildfly en versiones anteriores a 23.0.2.Final, mientras se crea un nuevo rol en el modo de dominio por medio de la consola de administración, es posible agregar una carga útil en el campo name, conllevando a una vulnerabilidad de tipo XSS. Esto afecta la Confidencialidad y la Integridad A flaw was found in Wildfly. While creating a new role in the domain mode via the admin console, it is possible to add a payload in the name field, leading to a Cross-site scripting attack (XSS). • https://bugzilla.redhat.com/show_bug.cgi?id=1948001 https://access.redhat.com/security/cve/CVE-2021-3536 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-27822 – wildfly: Potential Memory leak in Wildfly when using OpenTracing
https://notcve.org/view.php?id=CVE-2020-27822
A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API's java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availability of the server. The highest threat from this vulnerability is to system availability. Se encontró un fallo en Wildfly afectando a versiones 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final y 21.0.0.Final. • https://bugzilla.redhat.com/show_bug.cgi?id=1904060 https://access.redhat.com/security/cve/CVE-2020-27822 https://issues.redhat.com/browse/WFLY-14094 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVE-2020-25689 – wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller
https://notcve.org/view.php?id=CVE-2020-25689
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability. Se encontró una fallo de filtrado de memoria en WildFly en todas las versiones hasta 21.0.0.Final, donde el controlador de host intenta reconectarse en un bucle, generando nuevas conexiones que no son cerradas apropiadamente mientras no es capaz de conectar al controlador de dominio. Este fallo permite a un atacante causar un problema de Falta de Memoria (OOM), conllevando a una denegación de servicio. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689 https://security.netapp.com/advisory/ntap-20201123-0006 https://access.redhat.com/security/cve/CVE-2020-25689 https://bugzilla.redhat.com/show_bug.cgi?id=1893070 • CWE-401: Missing Release of Memory after Effective Lifetime •