Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2021-4104 |
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. Published: December 14, 2021; 7:15:12 AM -0500 |
V3.1: 7.5 HIGH V2.0: 6.0 MEDIUM |
CVE-2016-8653 |
It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attacker could use this flaw to launch a denial of service attack. Published: August 01, 2018; 10:29:00 AM -0400 |
V3.0: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2016-8648 |
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to MBeans via JMX operations. An attacker could use this flaw to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contain deserialization gadgets in its classpath. Published: August 01, 2018; 10:29:00 AM -0400 |
V3.0: 7.2 HIGH V2.0: 6.5 MEDIUM |
CVE-2015-7501 |
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. Published: November 09, 2017; 12:29:00 PM -0500 |
V3.0: 9.8 CRITICAL V2.0: 10.0 HIGH |
CVE-2014-0085 |
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information disclosure via logging to local users. Note: this description has been updated; previous text mistakenly identified the source of the flaw as Zookeeper. Previous text: Apache Zookeeper logs cleartext admin passwords, which allows local users to obtain sensitive information by reading the log. Published: April 17, 2014; 10:55:06 AM -0400 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2013-4372 |
Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBoss A-MQ 6.0.0 before patch 3 allow remote attackers to inject arbitrary web script or HTML via the (1) user field in the create user page or (2) profile version to the create profile page. Published: September 30, 2013; 5:55:07 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |