VYPR

Jboss Wildfly Application Server

by Red Hat

CVEs (12)

  • CVE-2016-0793HigApr 1, 2016
    risk 0.53cvss 7.5epss 0.16

    Incomplete blacklist vulnerability in the servlet filter restriction mechanism in WildFly (formerly JBoss Application Server) before 10.0.0.Final on Windows allows remote attackers to read the sensitive files in the (1) WEB-INF or (2) META-INF directory via a request that…

  • CVE-2015-3198HigJul 21, 2017
    risk 0.49cvss 7.5epss 0.02

    The Undertow module of WildFly 9.x before 9.0.0.CR2 and 10.x before 10.0.0.Alpha1 allows remote attackers to obtain the source code of a JSP page via a "/" at the end of a URL.

  • CVE-2013-3734MedOct 24, 2017
    risk 0.43cvss 6.6epss 0.02

    The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain…

  • CVE-2016-4993MedSep 26, 2016
    risk 0.33cvss 6.1epss 0.03

    CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified…

  • CVE-2011-3609Nov 26, 2019
    risk 0.00cvss epss 0.01

    A CSRF issue was found in JBoss Application Server 7 before 7.1.0. JBoss did not properly restrict access to the management console information (for example via the "Access-Control-Allow-Origin" HTTP access control flag). This can lead to unauthorized information leak if a user…

  • CVE-2011-3606Nov 26, 2019
    risk 0.00cvss epss 0.01

    A DOM based cross-site scripting flaw was found in the JBoss Application Server 7 before 7.1.0 Beta 1 administration console. A remote attacker could provide a specially-crafted web page and trick the valid JBoss AS user, with the administrator privilege, to visit it, which…

  • CVE-2015-5220Oct 27, 2015
    risk 0.00cvss epss 0.03

    The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 and WildFly (formerly JBoss Application Server) allows remote attackers to cause a denial of service (memory consumption) via a large request header.

  • CVE-2015-5188Oct 27, 2015
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before 2.0.0.CR9 allows remote attackers to hijack the authentication of administrators for…

  • CVE-2015-5178Oct 27, 2015
    risk 0.00cvss epss 0.02

    The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that…

  • CVE-2014-0018Feb 14, 2014
    risk 0.00cvss epss 0.00

    Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container (MSC) service registry, which allows local users to modify the server via a…

  • CVE-2012-4529Oct 28, 2013
    risk 0.00cvss epss 0.02

    The org.apache.catalina.connector.Response.encodeURL method in Red Hat JBoss Web 7.1.x and earlier, when the tracking mode is set to COOKIE, sends the jsessionid in the URL of the first response of a session, which allows remote attackers to obtain the session id (1) via a…

  • CVE-2009-5066Aug 13, 2012
    risk 0.00cvss epss 0.00

    twiddle.sh in JBoss AS 5.0 and EAP 5.0 and earlier accepts credentials as command-line arguments, which allows local users to read the credentials by listing the process and its arguments.