VYPR

Vendor CVEs

JBoss

All CVEs

30 total · sorted by risk
  • CVE-2016-3690CriJun 8, 2017
    risk 0.64cvss 9.8epss 0.05

    The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.

  • CVE-2016-7066HigSep 11, 2018
    risk 0.51cvss 7.8epss 0.00

    It was found that the improper default permissions on /tmp/auth directory in JBoss Enterprise Application Platform before 7.1.0 can allow any local user to connect to CLI and allow the user to execute any arbitrary operations.

  • CVE-2016-6325HigOct 13, 2016
    risk 0.51cvss 7.8epss 0.01

    The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

  • CVE-2016-2094HigMay 6, 2016
    risk 0.49cvss 7.5epss 0.03

    The HTTPS NIO Connector allows remote attackers to cause a denial of service (thread consumption) by opening a socket and not sending an SSL handshake, aka a read-timeout vulnerability.

  • CVE-2016-8656HigMay 22, 2018
    risk 0.46cvss 7.0epss 0.00

    Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.

  • CVE-2013-3734MedOct 24, 2017
    risk 0.43cvss 6.6epss 0.02

    The Embedded Jopr component in JBoss Application Server includes the cleartext datasource password in unspecified HTML responses, which might allow (1) man-in-the-middle attackers to obtain sensitive information by leveraging failure to use SSL or (2) attackers to obtain…

  • CVE-2016-8608MedAug 1, 2018
    risk 0.35cvss 5.4epss 0.01

    JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote, authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly…

  • CVE-2016-7061LowSep 10, 2018
    risk 0.23cvss 3.5epss 0.02

    An information disclosure vulnerability was found in JBoss Enterprise Application Platform before 7.0.4. It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information.

  • CVE-2007-1036Feb 21, 2007
    risk 0.10cvss epss 0.82

    The default configuration of JBoss does not restrict access to the (1) console and (2) web management interfaces, which allows remote attackers to bypass authentication and gain administrative access via direct requests.

  • CVE-2008-3273Aug 10, 2008
    risk 0.07cvss epss 0.47

    JBoss Enterprise Application Platform (aka JBossEAP or EAP) before 4.2.0.CP03, and 4.3.0 before 4.3.0.CP01, allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string.

  • CVE-2005-2006Jun 17, 2005
    risk 0.04cvss epss 0.09

    JBOSS 3.2.2 through 3.2.7 and 4.0.2 allows remote attackers to obtain sensitive information via a GET request (1) with a "%." (percent dot), which reveals the installation path or (2) with a % (percent) before a filename, which reveals the contents of the file.

  • CVE-2003-0845Nov 17, 2003
    risk 0.04cvss epss 0.15

    Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port…

  • CVE-2006-5750Nov 27, 2006
    risk 0.01cvss epss 0.14

    Directory traversal vulnerability in the DeploymentFileRepository class in JBoss Application Server (jbossas) 3.2.4 through 4.0.5 allows remote authenticated users to read or modify arbitrary files, and possibly execute arbitrary code, via unspecified vectors related to the…

  • CVE-2021-20306Jun 1, 2021
    risk 0.00cvss epss 0.01

    A flaw was found in the BPMN editor in version jBPM 7.51.0.Final. Any authenticated user from any project can see the name of Ruleflow Groups from other projects, despite the user not having access to those projects. The highest threat from this vulnerability is to…

  • CVE-2020-14338Sep 17, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in…

  • CVE-2012-2312Dec 18, 2019
    risk 0.00cvss epss 0.00

    An Elevated Privileges issue exists in JBoss AS 7 Community Release due to the improper implementation in the security context propagation, A threat gets reused from the thread pool that still retains the security context from the process last used, which lets a local user…

  • CVE-2014-5401Mar 26, 2019
    risk 0.00cvss epss 0.05

    Hospira MedNet software version 5.8 and prior uses vulnerable versions of the JBoss Enterprise Application Platform software that may allow unauthenticated users to execute arbitrary code on the target system. Hospira has developed a new version of the MedNet software, MedNet…

  • CVE-2014-3586Apr 21, 2015
    risk 0.00cvss epss 0.00

    The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified…

  • CVE-2015-0279Mar 26, 2015
    risk 0.00cvss epss 0.04

    JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.

  • CVE-2014-7852Dec 11, 2014
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in JBoss RichFaces, as used in JBoss Portal 6.1.1, allows remote attackers to inject arbitrary web script or HTML via crafted URL, which is not properly handled in a CSS file.

  • CVE-2014-0170Sep 30, 2014
    risk 0.00cvss epss 0.02

    Teiid before 8.4.3 and before 8.7 and Red Hat JBoss Data Virtualization 6.0.0 before patch 3 allows remote attackers to read arbitrary files via a crafted request to a REST endpoint, related to an XML External Entity (XXE) issue.

  • CVE-2014-3472Aug 19, 2014
    risk 0.00cvss epss 0.02

    The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via…

  • CVE-2013-6448Jan 23, 2014
    risk 0.00cvss epss 0.01

    The InterfaceGenerator handler in JBoss Seam Remoting in JBoss Seam 2 framework 2.3.1 and earlier, as used in JBoss Web Framework Kit, allows remote attackers to bypass the WebRemote annotation restriction and obtain information about arbitrary classes and methods on the server…

  • CVE-2012-3428Dec 20, 2012
    risk 0.00cvss epss 0.01

    The IronJacamar container before 1.0.12.Final for JBoss Application Server, when allow-multiple-users is enabled in conjunction with a security domain, does not use the credentials supplied in a getConnection function call, which allows remote attackers to obtain access to an…

  • CVE-2009-0027Mar 9, 2009
    risk 0.00cvss epss 0.02

    The request handler in JBossWS in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP06 and 4.3 before 4.3.0.CP04 does not properly validate the resource path during a request for a WSDL file with a custom web-service endpoint, which allows remote…

  • CVE-2007-6433Dec 18, 2007
    risk 0.00cvss epss 0.03

    The getRenderedEjbql method in the org.jboss.seam.framework.Query class in JBoss Seam 2.x before 2.0.0.CR3 allows remote attackers to inject and execute arbitrary EJBQL commands via the order parameter.

  • CVE-2007-1354Jul 27, 2007
    risk 0.00cvss epss 0.01

    The Access Control functionality (JMXOpsAccessControlFilter) in JMX Console in JBoss Application Server 4.0.2 and 4.0.5 before 20070416 uses a member variable to store the roles of the current user, which allows remote authenticated administrators to trigger a race condition and…

  • CVE-2007-1157Mar 2, 2007
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in jmx-console/HtmlAdaptor in JBoss allows remote attackers to perform privileged actions as administrators via certain MBean operations, a different vulnerability than CVE-2006-3733.

  • CVE-2005-4709Dec 31, 2005
    risk 0.00cvss epss 0.02

    The popSubjectContext method in the SecurityAssociation class in JBoss Enterprise Java Beans (EJB) 3.0 RC3 maintains the threadPrincipal and threadCredential values from a previous client's authentication after termination of a client session, which allows remote attackers to…

  • CVE-2005-2158Jul 6, 2005
    risk 0.00cvss epss 0.01

    A regression error in the embedded HSQLDB in JBoss jBPM 2.0 allows remote attackers to execute arbitrary comands, a re-introduction of a vulnerability that was originally identified by CVE-2003-0845.