National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • CPE Product Version: cpe:/a:redhat:jboss_enterprise_application_platform:5.0.0
There are 32 matching records.
Displaying matches 1 through 20.
Vuln ID Summary CVSS Severity
CVE-2016-7066

It was found that the improper default permissions on /tmp/auth directory in JBoss Enterprise Application Platform before 7.1.0 can allow any local user to connect to CLI and allow the user to execute any arbitrary operations.

Published: September 11, 2018; 10:29:00 AM -04:00
V3: 7.8 HIGH
V2: 4.6 MEDIUM
CVE-2016-7061

An information disclosure vulnerability was found in JBoss Enterprise Application Platform before 7.0.4. It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information.

Published: September 10, 2018; 12:29:00 PM -04:00
V3: 6.5 MEDIUM
V2: 4.0 MEDIUM
CVE-2016-8657

It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted.

Published: July 31, 2018; 03:29:00 PM -04:00
V3: 7.8 HIGH
V2: 7.2 HIGH
CVE-2017-12167

It was found in EAP 7 before 7.0.9 that properties based files of the management and the application realm configuration that contain user to role mapping are world readable allowing access to users and roles information to all the users logged in to the system.

Published: July 26, 2018; 01:29:00 PM -04:00
V3: 5.5 MEDIUM
V2: 2.1 LOW
CVE-2016-8656

Jboss jbossas before versions 5.2.0-23, 6.4.13, 7.0.5 is vulnerable to an unsafe file handling in the jboss init script which could result in local privilege escalation.

Published: May 22, 2018; 01:29:00 PM -04:00
V3: 7.8 HIGH
V2: 4.6 MEDIUM
CVE-2016-9585

Red Hat JBoss EAP version 5 is vulnerable to a deserialization of untrusted data in the JMX endpoint when deserializes the credentials passed to it. An attacker could exploit this vulnerability resulting in a denial of service attack.

Published: March 09, 2018; 10:29:00 AM -05:00
V3: 5.3 MEDIUM
V2: 2.6 LOW
CVE-2015-7501

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Published: November 09, 2017; 12:29:00 PM -05:00
V3: 9.8 CRITICAL
V2: 10.0 HIGH
CVE-2017-12149

In Jboss Application Server as shipped with Red Hat Enterprise Application Platform 5.2, it was found that the doFilter method in the ReadOnlyAccessFilter of the HTTP Invoker does not restrict classes for which it performs deserialization and thus allowing an attacker to execute arbitrary code via crafted serialized data.

Published: October 04, 2017; 05:01:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2015-1849

AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.1 allows attackers to obtain sensitive information via vectors involving logging the LDAP bind credential password when TRACE logging is enabled.

Published: September 19, 2017; 01:29:00 PM -04:00
V3: 5.9 MEDIUM
V2: 4.3 MEDIUM
CVE-2016-3690

The PooledInvokerServlet in JBoss EAP 4.x and 5.x allows remote attackers to execute arbitrary code via a crafted serialized payload.

Published: June 08, 2017; 02:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2016-7065

The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) 4 and 5 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a crafted serialized Java object.

Published: October 13, 2016; 10:59:11 AM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2016-5406

The domain controller in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2 allows remote authenticated users to gain privileges by leveraging failure to propagate administrative RBAC configuration to all slaves.

Published: September 26, 2016; 10:59:05 AM -04:00
V3: 8.8 HIGH
V2: 6.5 MEDIUM
CVE-2016-4993

CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Published: September 26, 2016; 10:59:03 AM -04:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2015-5304

Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.5 does not properly authorize access to shut down the server, which allows remote authenticated users with the Monitor, Deployer, or Auditor role to cause a denial of service via unspecified vectors.

Published: December 16, 2015; 04:59:00 PM -05:00
V2: 3.5 LOW
CVE-2015-5220

The Web Console in Red Hat Enterprise Application Platform (EAP) before 6.4.4 and WildFly (formerly JBoss Application Server) allows remote attackers to cause a denial of service (memory consumption) via a large request header.

Published: October 27, 2015; 12:59:05 PM -04:00
V2: 5.0 MEDIUM
CVE-2015-5188

Cross-site request forgery (CSRF) vulnerability in the Web Console (web-console) in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) before 2.0.0.CR9 allows remote attackers to hijack the authentication of administrators for requests that make arbitrary changes to an instance via vectors involving a file upload using a multipart/form-data submission.

Published: October 27, 2015; 12:59:03 PM -04:00
V2: 6.8 MEDIUM
CVE-2015-5178

The Management Console in Red Hat Enterprise Application Platform before 6.4.4 and WildFly (formerly JBoss Application Server) does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.

Published: October 27, 2015; 12:59:01 PM -04:00
V2: 4.3 MEDIUM
CVE-2014-3586

The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified vectors.

Published: April 21, 2015; 01:59:00 PM -04:00
V2: 2.1 LOW
CVE-2014-7853

The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute.

Published: February 13, 2015; 10:59:06 AM -05:00
V2: 4.0 MEDIUM
CVE-2014-7827

The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.

Published: February 13, 2015; 10:59:04 AM -05:00
V2: 3.5 LOW