VYPR

Jboss Eap

by Red Hat

Source repositories

CVEs (11)

  • CVE-2017-7465CriJun 27, 2018
    risk 0.59cvss 9.0epss 0.03

    It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of…

  • CVE-2019-14843HigJan 7, 2020
    risk 0.57cvss 8.8epss 0.01

    A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped…

  • CVE-2016-5406HigSep 26, 2016
    risk 0.57cvss 8.8epss 0.03

    The domain controller in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2 allows remote authenticated users to gain privileges by leveraging failure to propagate administrative RBAC configuration to all slaves.

  • CVE-2010-0737HigOct 30, 2019
    risk 0.52cvss 8.0epss 0.01

    A missing permission check was found in The CLI in JBoss Operations Network before 2.3.1 does not properly check permissions, which allows JBoss ON users to perform management tasks and configuration changes with the privileges of the administrator user.

  • CVE-2019-19343HigMar 23, 2021
    risk 0.49cvss 7.5epss 0.02

    A flaw was found in Undertow when using Remoting as shipped in Red Hat Jboss EAP before version 7.2.4. A memory leak in HttpOpenListener due to holding remote connections indefinitely may lead to denial of service. Versions before undertow 2.0.25.SP1 and jboss-remoting…

  • CVE-2020-14307MedJul 24, 2020
    risk 0.42cvss 6.5epss 0.01

    A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as the server. This flaw allows…

  • CVE-2014-0169MedJan 2, 2020
    risk 0.42cvss 6.5epss 0.01

    In JBoss EAP 6 a security domain is configured to use a cache that is shared between all applications that are in the security domain. This could allow an authenticated user in one application to access protected resources in another application without proper authorization.…

  • CVE-2025-2251MedApr 7, 2025
    risk 0.40cvss 6.2epss 0.01

    A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a…

  • CVE-2016-9585MedMar 9, 2018
    risk 0.35cvss 5.3epss 0.01

    Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack.

  • CVE-2019-14885MedJan 23, 2020
    risk 0.28cvss 4.3epss 0.01

    A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of…

  • CVE-2022-1319HigAug 31, 2022
    risk 0.00cvss 7.5epss 0.01

    A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in…