VYPR

Fuse

by Red Hat

CVEs (10)

  • CVE-2015-1427CriKEVFeb 17, 2015
    risk 0.87cvss 9.8epss 1.00

    The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.

  • CVE-2016-4437CriKEVJun 7, 2016
    risk 0.79cvss 9.8epss 0.93

    Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

  • CVE-2017-5645CriApr 17, 2017
    risk 0.71cvss 9.8epss 0.89

    In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

  • CVE-2017-12617HigKEVOct 4, 2017
    risk 0.69cvss 8.1epss 1.00

    When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via…

  • CVE-2026-28369HigMar 27, 2026
    risk 0.50cvss 8.7epss 0.01

    A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote…

  • CVE-2026-28368HigMar 27, 2026
    risk 0.50cvss 8.7epss 0.01

    A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request…

  • CVE-2026-28367HigMar 27, 2026
    risk 0.50cvss 8.7epss 0.01

    A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Google Cloud Classic…

  • CVE-2025-57849MedMar 13, 2026
    risk 0.42cvss 6.4epss 0.00

    A container privilege escalation flaw was found in certain Fuse images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a…

  • CVE-2026-3260MedMar 24, 2026
    risk 0.38cvss 5.9epss 0.00

    A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and…

  • CVE-2016-8653MedAug 1, 2018
    risk 0.35cvss 5.3epss 0.02

    It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attacker could use this flaw to launch a denial of service attack.