All the vulnerabilites related to redhat - wildfly
cve-2020-27822
Vulnerability from cvelistv5
Published
2020-12-08 00:07
Modified
2024-08-04 16:25
Severity ?
EPSS score ?
Summary
A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API's java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availability of the server. The highest threat from this vulnerability is to system availability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1904060 | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:25:43.594Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1904060"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, 21.0.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API\u0027s java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availability of the server. The highest threat from this vulnerability is to system availability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-08T00:07:18",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1904060"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-27822",
"datePublished": "2020-12-08T00:07:18",
"dateReserved": "2020-10-27T00:00:00",
"dateUpdated": "2024-08-04T16:25:43.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-14317
Vulnerability from cvelistv5
Published
2021-06-02 11:27
Modified
2024-08-04 12:39
Severity ?
EPSS score ?
Summary
It was found that the issue for security flaw CVE-2019-3805 appeared again in a further version of JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introducing regression. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1854251 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.235Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854251"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Wildfly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "will not be fixed"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was found that the issue for security flaw CVE-2019-3805 appeared again in a further version of JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introducing regression. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-364",
"description": "CWE-364",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-02T11:27:39",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854251"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-14317",
"datePublished": "2021-06-02T11:27:39",
"dateReserved": "2020-06-17T00:00:00",
"dateUpdated": "2024-08-04T12:39:36.235Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-14627
Vulnerability from cvelistv5
Published
2018-09-04 12:00
Modified
2024-08-05 09:29
Severity ?
EPSS score ?
Summary
The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: <transport-config confidentiality="required" trust-in-target="supported"/>
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2018:3528 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:3527 | vendor-advisory, x_refsource_REDHAT | |
| https://issues.jboss.org/browse/WFLY-9107 | x_refsource_CONFIRM | |
| https://security.netapp.com/advisory/ntap-20181221-0002/ | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2018:3595 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2018:3529 | vendor-advisory, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | [UNKNOWN] | JBoss/WildFly |
Version: 14.0.0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T09:29:51.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627"
},
{
"name": "RHSA-2018:3528",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3528"
},
{
"name": "RHSA-2018:3527",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3527"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.jboss.org/browse/WFLY-9107"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20181221-0002/"
},
{
"name": "RHSA-2018:3595",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3595"
},
{
"name": "RHSA-2018:3529",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3529"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "JBoss/WildFly",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "14.0.0"
}
]
}
],
"datePublic": "2017-07-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: \u003ctransport-config confidentiality=\"required\" trust-in-target=\"supported\"/\u003e"
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-319",
"description": "CWE-319",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-22T10:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627"
},
{
"name": "RHSA-2018:3528",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3528"
},
{
"name": "RHSA-2018:3527",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3527"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.jboss.org/browse/WFLY-9107"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20181221-0002/"
},
{
"name": "RHSA-2018:3595",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3595"
},
{
"name": "RHSA-2018:3529",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3529"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2018-14627",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "JBoss/WildFly",
"version": {
"version_data": [
{
"version_value": "14.0.0"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: \u003ctransport-config confidentiality=\"required\" trust-in-target=\"supported\"/\u003e"
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "5.3/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-319"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627"
},
{
"name": "RHSA-2018:3528",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3528"
},
{
"name": "RHSA-2018:3527",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3527"
},
{
"name": "https://issues.jboss.org/browse/WFLY-9107",
"refsource": "CONFIRM",
"url": "https://issues.jboss.org/browse/WFLY-9107"
},
{
"name": "https://security.netapp.com/advisory/ntap-20181221-0002/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20181221-0002/"
},
{
"name": "RHSA-2018:3595",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3595"
},
{
"name": "RHSA-2018:3529",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3529"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-14627",
"datePublished": "2018-09-04T12:00:00",
"dateReserved": "2018-07-27T00:00:00",
"dateUpdated": "2024-08-05T09:29:51.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3805
Vulnerability from cvelistv5
Published
2019-05-03 19:25
Modified
2024-08-04 19:19
Severity ?
EPSS score ?
Summary
A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3805 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2019:1107 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2019:1108 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2019:1106 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2019:1140 | vendor-advisory, x_refsource_REDHAT | |
| https://security.netapp.com/advisory/ntap-20190517-0004/ | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2019:2413 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2020:0727 | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.533Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3805"
},
{
"name": "RHSA-2019:1107",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1107"
},
{
"name": "RHSA-2019:1108",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1108"
},
{
"name": "RHSA-2019:1106",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1106"
},
{
"name": "RHSA-2019:1140",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1140"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190517-0004/"
},
{
"name": "RHSA-2019:2413",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2413"
},
{
"name": "RHSA-2020:0727",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0727"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "affects up to 16.0.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-364",
"description": "CWE-364",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-11T11:06:48",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3805"
},
{
"name": "RHSA-2019:1107",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1107"
},
{
"name": "RHSA-2019:1108",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1108"
},
{
"name": "RHSA-2019:1106",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1106"
},
{
"name": "RHSA-2019:1140",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1140"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190517-0004/"
},
{
"name": "RHSA-2019:2413",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2413"
},
{
"name": "RHSA-2020:0727",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0727"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-3805",
"datePublished": "2019-05-03T19:25:28",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-08-04T19:19:18.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-1719
Vulnerability from cvelistv5
Published
2021-06-07 16:23
Modified
2024-08-04 06:46
Severity ?
EPSS score ?
Summary
A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1796617 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:46:30.328Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796617"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Wildfly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "wildfly 20.0.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-270",
"description": "CWE-270",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-07T16:23:44",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796617"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-1719",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Wildfly",
"version": {
"version_data": [
{
"version_value": "wildfly 20.0.0.Final"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-270"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1796617",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796617"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-1719",
"datePublished": "2021-06-07T16:23:44",
"dateReserved": "2019-11-27T00:00:00",
"dateUpdated": "2024-08-04T06:46:30.328Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-10740
Vulnerability from cvelistv5
Published
2020-06-22 17:39
Modified
2024-08-04 11:14
Severity ?
EPSS score ?
Summary
A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:14:14.944Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly",
"vendor": "[UNKNOWN]",
"versions": [
{
"status": "affected",
"version": "Versions before 20.0.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-22T17:39:58",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-10740",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wildfly",
"version": {
"version_data": [
{
"version_value": "Versions before 20.0.0.Final"
}
]
}
}
]
},
"vendor_name": "[UNKNOWN]"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly."
}
]
},
"impact": {
"cvss": [
[
{
"vectorString": "6.6/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
]
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10740",
"datePublished": "2020-06-22T17:39:58",
"dateReserved": "2020-03-20T00:00:00",
"dateUpdated": "2024-08-04T11:14:14.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-25640
Vulnerability from cvelistv5
Published
2020-11-24 19:00
Modified
2024-08-04 15:40
Severity ?
EPSS score ?
Summary
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1881637 | x_refsource_MISC | |
| https://github.com/amqphub/amqp-10-resource-adapter/issues/13 | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20201210-0001/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:40:36.309Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881637"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/amqphub/amqp-10-resource-adapter/issues/13"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20201210-0001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Wildfly 21.0.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "(CWE-209|CWE-532)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-12-10T11:06:06",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881637"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/amqphub/amqp-10-resource-adapter/issues/13"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20201210-0001/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-25640",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wildfly",
"version": {
"version_data": [
{
"version_value": "Wildfly 21.0.0.Final"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "(CWE-209|CWE-532)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1881637",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881637"
},
{
"name": "https://github.com/amqphub/amqp-10-resource-adapter/issues/13",
"refsource": "MISC",
"url": "https://github.com/amqphub/amqp-10-resource-adapter/issues/13"
},
{
"name": "https://security.netapp.com/advisory/ntap-20201210-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20201210-0001/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-25640",
"datePublished": "2020-11-24T19:00:33",
"dateReserved": "2020-09-16T00:00:00",
"dateUpdated": "2024-08-04T15:40:36.309Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-3536
Vulnerability from cvelistv5
Published
2021-05-20 12:15
Modified
2024-08-03 17:01
Severity ?
EPSS score ?
Summary
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1948001 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:07.095Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Wildfly 23.0.2.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-20T12:15:09",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2021-3536",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wildfly",
"version": {
"version_data": [
{
"version_value": "Wildfly 23.0.2.Final"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-3536",
"datePublished": "2021-05-20T12:15:09",
"dateReserved": "2021-05-05T00:00:00",
"dateUpdated": "2024-08-03T17:01:07.095Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-3644
Vulnerability from cvelistv5
Published
2022-08-26 15:25
Modified
2024-08-03 17:01
Severity ?
EPSS score ?
Summary
A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1976052 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/CVE-2021-3644 | x_refsource_MISC | |
| https://issues.redhat.com/browse/WFCORE-5511 | x_refsource_MISC | |
| https://github.com/wildfly/wildfly-core/pull/4668 | x_refsource_MISC | |
| https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b | x_refsource_MISC | |
| https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | n/a | wildfly-core |
Version: Fixed in 16.0.1.Final, 17.0.0.Final and later. |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:01:08.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976052"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3644"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.redhat.com/browse/WFCORE-5511"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wildfly/wildfly-core/pull/4668"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly-core",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 16.0.1.Final, 17.0.0.Final and later."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-26T15:25:40",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976052"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3644"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.redhat.com/browse/WFCORE-5511"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wildfly/wildfly-core/pull/4668"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-3644",
"datePublished": "2022-08-26T15:25:40",
"dateReserved": "2021-07-14T00:00:00",
"dateUpdated": "2024-08-03T17:01:08.319Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-1278
Vulnerability from cvelistv5
Published
2022-09-13 13:38
Modified
2024-08-02 23:55
Severity ?
EPSS score ?
Summary
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2073401 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:55:24.610Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WildFly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "no fixed versions known"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-13T13:38:02",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-1278",
"datePublished": "2022-09-13T13:38:02",
"dateReserved": "2022-04-08T00:00:00",
"dateUpdated": "2024-08-02T23:55:24.610Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-25689
Vulnerability from cvelistv5
Published
2020-10-30 00:00
Modified
2024-08-04 15:40
Severity ?
EPSS score ?
Summary
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Red Hat | wildfly-core |
Version: up to 21.0.0.Final |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:40:36.775Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20201123-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly-core",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "up to 21.0.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-07T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689"
},
{
"url": "https://security.netapp.com/advisory/ntap-20201123-0006/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-25689",
"datePublished": "2020-10-30T00:00:00",
"dateReserved": "2020-09-16T00:00:00",
"dateUpdated": "2024-08-04T15:40:36.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2018-10683
Vulnerability from cvelistv5
Published
2018-05-09 08:00
Modified
2024-08-05 07:46
Severity ?
EPSS score ?
Summary
An issue was discovered in WildFly 10.1.2.Final. In the case of a default installation without a security realm reference, an attacker can successfully access the server without authentication. NOTE: the Security Realms documentation in the product's Admin Guide indicates that "without a security realm reference" implies "effectively unsecured." The vendor explicitly supports these unsecured configurations because they have valid use cases during development
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/kmkz/exploit/blob/master/CVE-2018-10682-CVE-2018-10683.txt | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:46.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kmkz/exploit/blob/master/CVE-2018-10682-CVE-2018-10683.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-05-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WildFly 10.1.2.Final. In the case of a default installation without a security realm reference, an attacker can successfully access the server without authentication. NOTE: the Security Realms documentation in the product\u0027s Admin Guide indicates that \"without a security realm reference\" implies \"effectively unsecured.\" The vendor explicitly supports these unsecured configurations because they have valid use cases during development"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-15T02:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kmkz/exploit/blob/master/CVE-2018-10682-CVE-2018-10683.txt"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-10683",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** An issue was discovered in WildFly 10.1.2.Final. In the case of a default installation without a security realm reference, an attacker can successfully access the server without authentication. NOTE: the Security Realms documentation in the product\u0027s Admin Guide indicates that \"without a security realm reference\" implies \"effectively unsecured.\" The vendor explicitly supports these unsecured configurations because they have valid use cases during development."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/kmkz/exploit/blob/master/CVE-2018-10682-CVE-2018-10683.txt",
"refsource": "MISC",
"url": "https://github.com/kmkz/exploit/blob/master/CVE-2018-10682-CVE-2018-10683.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-10683",
"datePublished": "2018-05-09T08:00:00",
"dateReserved": "2018-05-02T00:00:00",
"dateUpdated": "2024-08-05T07:46:46.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-0866
Vulnerability from cvelistv5
Published
2022-05-10 20:20
Modified
2024-08-02 23:40
Severity ?
EPSS score ?
Summary
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:04.505Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Wildfly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it\u0027s possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it\u0027s also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-10T20:20:35",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2022-0866",
"datePublished": "2022-05-10T20:20:35",
"dateReserved": "2022-03-04T00:00:00",
"dateUpdated": "2024-08-02T23:40:04.505Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-10718
Vulnerability from cvelistv5
Published
2020-09-16 18:06
Modified
2024-08-04 11:14
Severity ?
EPSS score ?
Summary
A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1828476 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:14:14.762Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828476"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Wildfly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "before wildfly-embedded-13.0.0.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Exposed Dangerous Method or Function",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-16T18:06:26",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828476"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-10718",
"datePublished": "2020-09-16T18:06:26",
"dateReserved": "2020-03-20T00:00:00",
"dateUpdated": "2024-08-04T11:14:14.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-3503
Vulnerability from cvelistv5
Published
2022-04-18 16:20
Modified
2024-08-03 16:53
Severity ?
EPSS score ?
Summary
A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1942693 | x_refsource_MISC | |
| https://issues.redhat.com/browse/WFLY-11933 | x_refsource_MISC | |
| https://github.com/wildfly/wildfly/pull/14136 | x_refsource_MISC | |
| https://github.com/advisories/GHSA-c4r5-xvgw-2942 | x_refsource_MISC | |
| https://access.redhat.com/security/cve/CVE-2021-3503 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T16:53:17.916Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1942693"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://issues.redhat.com/browse/WFLY-11933"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/wildfly/wildfly/pull/14136"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/advisories/GHSA-c4r5-xvgw-2942"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3503"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Fixed in 23.0.1.Final"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-24T15:09:39",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1942693"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://issues.redhat.com/browse/WFLY-11933"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/wildfly/wildfly/pull/14136"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/advisories/GHSA-c4r5-xvgw-2942"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3503"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2021-3503",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wildfly",
"version": {
"version_data": [
{
"version_value": "Fixed in 23.0.1.Final"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1942693",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1942693"
},
{
"name": "https://issues.redhat.com/browse/WFLY-11933",
"refsource": "MISC",
"url": "https://issues.redhat.com/browse/WFLY-11933"
},
{
"name": "https://github.com/wildfly/wildfly/pull/14136",
"refsource": "MISC",
"url": "https://github.com/wildfly/wildfly/pull/14136"
},
{
"name": "https://github.com/advisories/GHSA-c4r5-xvgw-2942",
"refsource": "MISC",
"url": "https://github.com/advisories/GHSA-c4r5-xvgw-2942"
},
{
"name": "https://access.redhat.com/security/cve/CVE-2021-3503",
"refsource": "MISC",
"url": "https://access.redhat.com/security/cve/CVE-2021-3503"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-3503",
"datePublished": "2022-04-18T16:20:37",
"dateReserved": "2021-04-16T00:00:00",
"dateUpdated": "2024-08-03T16:53:17.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-14887
Vulnerability from cvelistv5
Published
2020-03-16 14:48
Modified
2024-08-05 00:26
Severity ?
EPSS score ?
Summary
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887 | x_refsource_CONFIRM | |
| https://issues.redhat.com/browse/JBEAP-17965 | x_refsource_CONFIRM | |
| https://security.netapp.com/advisory/ntap-20200327-0007/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:39.145Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://issues.redhat.com/browse/JBEAP-17965"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200327-0007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "7.2.0.GA, 7.2.3.GA, 7.2.5.CR2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found when an OpenSSL security provider is used with Wildfly, the \u0027enabled-protocols\u0027 value in the Wildfly configuration isn\u0027t honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-757",
"description": "CWE-757",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-27T08:06:03",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://issues.redhat.com/browse/JBEAP-17965"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200327-0007/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-14887",
"datePublished": "2020-03-16T14:48:09",
"dateReserved": "2019-08-10T00:00:00",
"dateUpdated": "2024-08-05T00:26:39.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-3894
Vulnerability from cvelistv5
Published
2019-05-03 19:25
Modified
2024-08-04 19:19
Severity ?
EPSS score ?
Summary
It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing.
References
| ▼ | URL | Tags |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3894 | x_refsource_CONFIRM | |
| https://access.redhat.com/errata/RHSA-2019:1107 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2019:1108 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2019:1106 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2019:1140 | vendor-advisory, x_refsource_REDHAT | |
| https://security.netapp.com/advisory/ntap-20190517-0004/ | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:19:18.806Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3894"
},
{
"name": "RHSA-2019:1107",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1107"
},
{
"name": "RHSA-2019:1108",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1108"
},
{
"name": "RHSA-2019:1106",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1106"
},
{
"name": "RHSA-2019:1140",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1140"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190517-0004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wildfly",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "affects from 11 to 16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that the ElytronManagedThread in Wildfly\u0027s Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-358",
"description": "CWE-358",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-05-17T09:06:06",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3894"
},
{
"name": "RHSA-2019:1107",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1107"
},
{
"name": "RHSA-2019:1108",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1108"
},
{
"name": "RHSA-2019:1106",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1106"
},
{
"name": "RHSA-2019:1140",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1140"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190517-0004/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-3894",
"datePublished": "2019-05-03T19:25:58",
"dateReserved": "2019-01-03T00:00:00",
"dateUpdated": "2024-08-04T19:19:18.806Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-06-02 12:15
Modified
2024-11-21 05:02
Severity ?
Summary
It was found that the issue for security flaw CVE-2019-3805 appeared again in a further version of JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introducing regression. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1854251 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1854251 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_enterprise_application_platform | - | |
| redhat | wildfly | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:-:*:*:*:continuous_delivery:*:*:*",
"matchCriteriaId": "826F79C3-2106-46A3-9842-9ED8704723CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:-:*:*:*:*:*:*:*",
"matchCriteriaId": "623B48BB-68BD-429F-B24E-92304FD0CB81",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It was found that the issue for security flaw CVE-2019-3805 appeared again in a further version of JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introducing regression. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root."
},
{
"lang": "es",
"value": "Se ha detectado que el problema del fallo de seguridad CVE-2019-3805 ha vuelto a aparecer en otra versi\u00f3n de JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introduciendo una regresi\u00f3n. Un atacante podr\u00eda explotar esto al modificar el archivo PID en el directorio /var/run/jboss-eap/ permitiendo que el script init.d termine cualquier proceso como root"
}
],
"id": "CVE-2020-14317",
"lastModified": "2024-11-21T05:02:59.710",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 4.9,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-02T12:15:08.037",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854251"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1854251"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-364"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-02 21:15
Modified
2024-11-21 05:18
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20201123-0006/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20201123-0006/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | wildfly | * | |
| redhat | fuse | 6.0.0 | |
| redhat | jboss_data_grid | 7.0.0 | |
| redhat | jboss_enterprise_application_platform | 7.0.0 | |
| redhat | jboss_fuse | 7.0.0 | |
| redhat | openshift_application_runtimes | - | |
| redhat | single_sign-on | 7.0 | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | active_iq_unified_manager | - | |
| netapp | oncommand_insight | - | |
| netapp | service_level_manager | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03BD2B88-A2AB-479B-8AE9-EB044A920A43",
"versionEndIncluding": "21.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:fuse:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FD89A07A-0277-43E8-9363-F77A43C89406",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*",
"matchCriteriaId": "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*",
"matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*",
"matchCriteriaId": "B55E8D50-99B4-47EC-86F9-699B67D473CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:netapp:service_level_manager:-:*:*:*:*:*:*:*",
"matchCriteriaId": "7081652A-D28B-494E-94EF-CA88117F23EE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una fallo de filtrado de memoria en WildFly en todas las versiones hasta 21.0.0.Final, donde el controlador de host intenta reconectarse en un bucle, generando nuevas conexiones que no son cerradas apropiadamente mientras no es capaz de conectar al controlador de dominio.\u0026#xa0;Este fallo permite a un atacante causar un problema de Falta de Memoria (OOM), conllevando a una denegaci\u00f3n de servicio.\u0026#xa0;La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema"
}
],
"id": "CVE-2020-25689",
"lastModified": "2024-11-21T05:18:28.603",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 6.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-02T21:15:27.647",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20201123-0006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25689"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20201123-0006/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-401"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-401"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-03 20:29
Modified
2024-11-21 04:42
Severity ?
Summary
It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | wildfly | * | |
| redhat | jboss_enterprise_application_platform | 7.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F828CF0C-8DD4-451B-B73A-B119EB5A70DB",
"versionEndIncluding": "16.0.0",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "It was discovered that the ElytronManagedThread in Wildfly\u0027s Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing."
},
{
"lang": "es",
"value": "Se descubri\u00f3 que ElytronManagedThread del subsistemas Wildfly\u0027s Elytron en versiones desde 11 hasta la 16 almacena un SecurityIdentity para ejecutar el hilo. Estos hilos no necesariamente terminan si el tiempo de mantener activos no ha expirado. Esto podr\u00eda permitir compartir el hilo para emplear una identidad de seguridad incorrecta al ejecutarse."
}
],
"id": "CVE-2019-3894",
"lastModified": "2024-11-21T04:42:48.890",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-03T20:29:01.327",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1106"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1107"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1108"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1140"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3894"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190517-0004/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1108"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1140"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3894"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190517-0004/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-358"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-12-08 01:15
Modified
2024-11-21 05:21
Severity ?
Summary
A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API's java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availability of the server. The highest threat from this vulnerability is to system availability.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1904060 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1904060 | Issue Tracking, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:wildfly:19.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D90E2085-2D90-46CE-9EC6-091126EE8157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:19.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DDCA87E4-E6B3-4E83-8FB5-E1010DFAF6FA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:20.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B2CCEF28-7139-4834-985E-1AF6CFEC7DB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:20.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "220ACF24-36E1-4904-889F-67FB804D22AF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:21.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D16601AC-5F6A-4506-97AA-6C53B6740057",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API\u0027s java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availability of the server. The highest threat from this vulnerability is to system availability."
},
{
"lang": "es",
"value": "Se encontr\u00f3 un fallo en Wildfly afectando a versiones 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final y 21.0.0.Final. Cuando una aplicaci\u00f3n usa los interceptores java de la API OpenTracing, existe la posibilidad de una p\u00e9rdida de memoria. Este fallo permite a un atacante afectar la disponibilidad del servidor. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema"
}
],
"id": "CVE-2020-27822",
"lastModified": "2024-11-21T05:21:52.667",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.1,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-12-08T01:15:12.413",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1904060"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1904060"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-401"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-05-09 08:29
Modified
2024-11-21 03:41
Severity ?
Summary
An issue was discovered in WildFly 10.1.2.Final. In the case of a default installation without a security realm reference, an attacker can successfully access the server without authentication. NOTE: the Security Realms documentation in the product's Admin Guide indicates that "without a security realm reference" implies "effectively unsecured." The vendor explicitly supports these unsecured configurations because they have valid use cases during development
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/kmkz/exploit/blob/master/CVE-2018-10682-CVE-2018-10683.txt | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/kmkz/exploit/blob/master/CVE-2018-10682-CVE-2018-10683.txt | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:wildfly:10.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B0685CB9-DC7C-4969-99E5-1ED80AA66164",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in WildFly 10.1.2.Final. In the case of a default installation without a security realm reference, an attacker can successfully access the server without authentication. NOTE: the Security Realms documentation in the product\u0027s Admin Guide indicates that \"without a security realm reference\" implies \"effectively unsecured.\" The vendor explicitly supports these unsecured configurations because they have valid use cases during development"
},
{
"lang": "es",
"value": "** EN DISPUTA ** Se ha descubierto un problema en WildFly 10.1.2.Final. En el caso de una instalaci\u00f3n por defecto sin una referencia de realm de seguridad, un atacante puede acceder con \u00e9xito al servidor sin autenticaci\u00f3n. NOTA: la documentaci\u00f3n de Security Realms en la gu\u00eda de administraci\u00f3n del producto indica que \"sin una referencia de realm de seguridad\" implica \"no asegurado de forma efectiva\". El fabricante soporta de manera expl\u00edcita estas configuraciones inseguras debido a que tienen casos de uso v\u00e1lidos durante el desarrollo."
}
],
"id": "CVE-2018-10683",
"lastModified": "2024-11-21T03:41:50.747",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-09T08:29:00.283",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/kmkz/exploit/blob/master/CVE-2018-10682-CVE-2018-10683.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/kmkz/exploit/blob/master/CVE-2018-10682-CVE-2018-10683.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-06-07 17:15
Modified
2024-11-21 05:11
Severity ?
Summary
A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1796617 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1796617 | Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "525F30F0-2C8D-4412-818A-342FABA92B10",
"versionEndExcluding": "20.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected."
},
{
"lang": "es",
"value": "Se ha encontrado un fallo en wildfly. El principio EJBContext no se devuelve despu\u00e9s de invocar otro EJB usando un dominio de seguridad diferente. La mayor amenaza de esta vulnerabilidad es para la confidencialidad e integridad de los datos. Las versiones anteriores a wildfly 20.0.0.Final est\u00e1n afectadas"
}
],
"id": "CVE-2020-1719",
"lastModified": "2024-11-21T05:11:14.120",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-07T17:15:07.527",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796617"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1796617"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-270"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-24 19:15
Modified
2024-11-21 05:18
Severity ?
Summary
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1881637 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://github.com/amqphub/amqp-10-resource-adapter/issues/13 | Third Party Advisory | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20201210-0001/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1881637 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/amqphub/amqp-10-resource-adapter/issues/13 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20201210-0001/ | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83915CB8-1E94-41BF-9BC6-BE35DA6BC7C0",
"versionEndExcluding": "21.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file."
},
{
"lang": "es",
"value": "Se detect\u00f3 un fallo en WildFly versiones anteriores a 21.0.0.Final donde, el adaptador de Recursos registra una contrase\u00f1a JMS de texto plano en el nivel de advertencia en caso de error de conexi\u00f3n, insertando informaci\u00f3n confidencial en el archivo de registro"
}
],
"id": "CVE-2020-25640",
"lastModified": "2024-11-21T05:18:18.790",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-24T19:15:10.633",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881637"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/amqphub/amqp-10-resource-adapter/issues/13"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20201210-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1881637"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/amqphub/amqp-10-resource-adapter/issues/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20201210-0001/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-05-20 13:15
Modified
2024-11-21 06:21
Severity ?
Summary
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1948001 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1948001 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | build_of_quarkus | - | |
| redhat | data_grid | 8.0 | |
| redhat | descision_manager | 7.0 | |
| redhat | integration_camel_k | - | |
| redhat | integration_camel_quarkus | - | |
| redhat | integration_service_registry | - | |
| redhat | jboss_a-mq | 7 | |
| redhat | jboss_enterprise_application_platform | 7.0 | |
| redhat | wildfly | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CE29B9D6-63DC-4779-ACE8-4E51E6A0AF37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7095200A-4DAC-4433-99E8-86CA88E1E4D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:descision_manager:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D5863BBF-829E-44EF-ACE8-61D5037251F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*",
"matchCriteriaId": "F039C746-2001-4EE5-835F-49607A94F12B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EF03BDE8-602D-4DEE-BA5B-5B20FDF47741",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*",
"matchCriteriaId": "A58966CB-36AF-4E64-AB39-BE3A0753E155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "88BF3B2C-B121-483A-AEF2-8082F6DA5310",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92A58DE6-0DDA-4A87-B1F6-56499CE7114A",
"versionEndExcluding": "23.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity."
},
{
"lang": "es",
"value": "Se encontr\u00f3 un fallo en Wildfly en versiones anteriores a 23.0.2.Final, mientras se crea un nuevo rol en el modo de dominio por medio de la consola de administraci\u00f3n, es posible agregar una carga \u00fatil en el campo name, conllevando a una vulnerabilidad de tipo XSS.\u0026#xa0;Esto afecta la Confidencialidad y la Integridad"
}
],
"id": "CVE-2021-3536",
"lastModified": "2024-11-21T06:21:47.183",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-20T13:15:07.840",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-09-16 19:15
Modified
2024-11-21 04:55
Severity ?
Summary
A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1828476 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1828476 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_fuse | 7.0.0 | |
| redhat | wildfly | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53A3AB58-49BA-4A9E-9419-C2787118368C",
"versionEndExcluding": "13.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is to confidentiality."
},
{
"lang": "es",
"value": "Se encontr\u00f3 un fallo en Wildfly versiones anteriores a wildfly-embedded-13.0.0.Final, donde la API del proceso administrado incorporado presenta una configuraci\u00f3n expuesta del Thread Context Classloader (TCCL).\u0026#xa0;Esta configuraci\u00f3n se expone como un m\u00e9todo p\u00fablico, que puede omitir al administrador de seguridad.\u0026#xa0;La mayor amenaza de esta vulnerabilidad es la confidencialidad"
}
],
"id": "CVE-2020-10718",
"lastModified": "2024-11-21T04:55:55.247",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-09-16T19:15:13.210",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1828476"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-08-26 16:15
Modified
2024-11-21 06:22
Severity ?
Summary
A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:descision_manager:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D5863BBF-829E-44EF-ACE8-61D5037251F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:16.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "3DD1C6A5-62D1-42A0-9FE7-2654CD65D0B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:17.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "964B390B-D38D-4F38-8E1B-A58FD084E5B6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity."
},
{
"lang": "es",
"value": "Se ha encontrado un fallo en wildfly-core en todas las versiones. Si una expresi\u00f3n de b\u00f3veda est\u00e1 en la forma de un solo atributo que contiene m\u00faltiples expresiones, un usuario al que le ha sido concedido acceso a la interfaz de administraci\u00f3n puede potencialmente acceder a una expresi\u00f3n de b\u00f3veda a la que no deber\u00eda poder acceder y posiblemente recuperar el elemento que estaba almacenado en la b\u00f3veda. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos."
}
],
"id": "CVE-2021-3644",
"lastModified": "2024-11-21T06:22:03.773",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-08-26T16:15:09.163",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3644"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976052"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wildfly/wildfly-core/pull/4668"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.redhat.com/browse/WFCORE-5511"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3644"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1976052"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wildfly/wildfly-core/pull/4668"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://issues.redhat.com/browse/WFCORE-5511"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-09-04 12:29
Modified
2024-11-21 03:49
Severity ?
5.3 (Medium) - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: <transport-config confidentiality="required" trust-in-target="supported"/>
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9150C45A-1207-4BA2-A9F5-A7D77BA36C0C",
"versionEndExcluding": "14.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: \u003ctransport-config confidentiality=\"required\" trust-in-target=\"supported\"/\u003e"
},
{
"lang": "es",
"value": "El subsistema IIOP OpenJDK en WildFly en versiones anteriores a la 14.0.0 no cumple con al configuraci\u00f3n cuando se requiere transporte SSL. Los servidores con versiones anteriores a \u00e9sta que est\u00e9n configurados con las siguientes opciones permiten que los clientes creen conexiones en texto plano:"
}
],
"id": "CVE-2018-14627",
"lastModified": "2024-11-21T03:49:27.310",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-09-04T12:29:00.623",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3527"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3528"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3529"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3595"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://issues.jboss.org/browse/WFLY-9107"
},
{
"source": "secalert@redhat.com",
"url": "https://security.netapp.com/advisory/ntap-20181221-0002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3527"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3528"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3529"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://issues.jboss.org/browse/WFLY-9107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20181221-0002/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-319"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-16 15:15
Modified
2024-11-21 04:27
Severity ?
Summary
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://issues.redhat.com/browse/JBEAP-17965 | Permissions Required | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20200327-0007/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.redhat.com/browse/JBEAP-17965 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20200327-0007/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_data_grid | 7.0.0 | |
| redhat | jboss_enterprise_application_platform | 7.0.0 | |
| redhat | jboss_fuse | 7.0.0 | |
| redhat | openshift_application_runtimes | - | |
| redhat | single_sign-on | 7.0 | |
| redhat | wildfly | 7.2.0 | |
| redhat | wildfly | 7.2.3 | |
| redhat | wildfly | 7.2.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CD354E32-A8B0-484C-B4C6-9FBCD3430D2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B40CCE4F-EA2C-453D-BB76-6388767E5C6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A33441B3-B301-426C-A976-08CE5FE72EFB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:7.2.0:general_availability:*:*:*:*:*:*",
"matchCriteriaId": "3183A7CF-6426-4B9F-AC91-9CFD6F31CD2A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:7.2.3:general_availability:*:*:*:*:*:*",
"matchCriteriaId": "FA943E12-A502-40E7-833D-79C504667EA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:7.2.5:cr2:*:*:*:*:*:*",
"matchCriteriaId": "DFBEF324-BC86-4DA8-9152-6E339C8751F4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found when an OpenSSL security provider is used with Wildfly, the \u0027enabled-protocols\u0027 value in the Wildfly configuration isn\u0027t honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable."
},
{
"lang": "es",
"value": "Se detect\u00f3 un fallo cuando un proveedor de seguridad OpenSSL es usado con Wildfly, el valor de \"enabled-protocols\" en la configuraci\u00f3n de Wildfly no es respetado. Un atacante podr\u00eda apuntar al tr\u00e1fico enviado desde Wildfly y degradar la conexi\u00f3n a una versi\u00f3n m\u00e1s d\u00e9bil de TLS, rompiendo potencialmente el cifrado. Esto podr\u00eda conllevar a un filtrado de los datos que son pasados a trav\u00e9s de la red. Se cree que Wildfly versiones 7.2.0.GA, 7.2.3.GA y 7.2.5.CR2 son vulnerables."
}
],
"id": "CVE-2019-14887",
"lastModified": "2024-11-21T04:27:36.843",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-16T15:15:12.130",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887"
},
{
"source": "secalert@redhat.com",
"tags": [
"Permissions Required"
],
"url": "https://issues.redhat.com/browse/JBEAP-17965"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200327-0007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14887"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://issues.redhat.com/browse/JBEAP-17965"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20200327-0007/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-757"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-06-22 18:15
Modified
2024-11-21 04:55
Severity ?
6.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "525F30F0-2C8D-4412-818A-342FABA92B10",
"versionEndExcluding": "20.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en Wildfly en versiones anteriores a 20.0.0.Final, donde es posible un ataque de deserializaci\u00f3n remota en Enterprise Application Beans (EJB) debido a una falta de capacidades de validaci\u00f3n y filtrado en wildfly"
}
],
"id": "CVE-2020-10740",
"lastModified": "2024-11-21T04:55:58.393",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.7,
"impactScore": 5.9,
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-06-22T18:15:11.087",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10740"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-05-10 21:15
Modified
2024-11-21 06:39
Severity ?
Summary
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0 | Issue Tracking, Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0 | Issue Tracking, Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_enterprise_application_platform | * | |
| redhat | openstack_platform | 13.0 | |
| redhat | wildfly | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "32AB4A68-6662-42AF-8D27-10F4E0099F06",
"versionStartIncluding": "7.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D47C4B3-AA0D-44C2-A709-373595835E79",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it\u0027s possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it\u0027s also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled."
},
{
"lang": "es",
"value": "Esto es un problema de concurrencia que puede resultar en que sea devuelto el caller principal incorrecto desde el contexto de sesi\u00f3n de un EJB que est\u00e1 configurado con un principal RunAs. En particular, la clase org.jboss.as.ejb3.component.EJBComponent presenta un campo incomingRunAsIdentity. Este campo es usado por el org.jboss.as.ejb3.security.RunAsPrincipalInterceptor para mantener un registro de la identidad actual antes de cambiar a una nueva identidad creada usando el principal RunAs. La explotaci\u00f3n consiste en que el campo EJBComponent#incomingRunAsIdentity es actualmente s\u00f3lo un SecurityIdentity. Esto significa que en un entorno concurrente, en el que varios usuarios invocan repetidamente un EJB configurado con una entidad de seguridad RunAs, es posible que sea devuelta una entidad de seguridad incorrecta desde EJBComponent#getCallerPrincipal. Del mismo modo, tambi\u00e9n es posible que EJBComponent#isCallerInRole devuelva un valor incorrecto. Ambos m\u00e9todos dependen de incomingRunAsIdentity. Afecta a todas las versiones de JBoss EAP a partir de la 7.1.0 y a todas las versiones de WildFly 11+ cuando Elytron est\u00e1 habilitado"
}
],
"id": "CVE-2022-0866",
"lastModified": "2024-11-21T06:39:33.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-05-10T21:15:08.817",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Mitigation",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Mitigation",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-13 14:15
Modified
2024-11-21 06:40
Severity ?
Summary
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=2073401 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=2073401 | Issue Tracking, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | wildfly | * | |
| redhat | amq | 2.0 | |
| redhat | amq_online | - | |
| redhat | integration_camel_k | - | |
| redhat | integration_service_registry | - | |
| redhat | jboss_a-mq | 7 | |
| redhat | jboss_enterprise_application_platform_expansion_pack | - | |
| redhat | single_sign-on | 7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "426B1BCF-20D8-4793-AC27-D8547F86DB3B",
"versionEndExcluding": "27.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:amq:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B6D3AF88-5812-4BB6-871F-C0EA39AD66AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:amq_online:-:*:*:*:*:*:*:*",
"matchCriteriaId": "153BBB97-7890-4C7A-9EDD-92A426B06DEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B87C8AD3-8878-4546-86C2-BF411876648C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EF03BDE8-602D-4DEE-BA5B-5B20FDF47741",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*",
"matchCriteriaId": "A58966CB-36AF-4E64-AB39-BE3A0753E155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0A24CBFB-4900-47A5-88D2-A44C929603DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain."
},
{
"lang": "es",
"value": "Se ha encontrado un fallo en WildFly, en el que un atacante puede visualizar los nombres de los despliegues, los endpoints y cualquier otro dato que pueda contener la carga \u00fatil de rastreo"
}
],
"id": "CVE-2022-1278",
"lastModified": "2024-11-21T06:40:23.890",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-13T14:15:08.620",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2073401"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1188"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1188"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-18 17:15
Modified
2024-11-21 06:21
Severity ?
Summary
A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://access.redhat.com/security/cve/CVE-2021-3503 | Vendor Advisory | |
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1942693 | Issue Tracking, Vendor Advisory | |
| secalert@redhat.com | https://github.com/advisories/GHSA-c4r5-xvgw-2942 | Third Party Advisory | |
| secalert@redhat.com | https://github.com/wildfly/wildfly/pull/14136 | Patch, Third Party Advisory | |
| secalert@redhat.com | https://issues.redhat.com/browse/WFLY-11933 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/security/cve/CVE-2021-3503 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1942693 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/advisories/GHSA-c4r5-xvgw-2942 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wildfly/wildfly/pull/14136 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://issues.redhat.com/browse/WFLY-11933 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "67F0CF46-5F14-4EEB-8354-54375BFF1C54",
"versionEndExcluding": "23.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality."
},
{
"lang": "es",
"value": "Se ha encontrado un fallo en Wildfly en el que unas restricciones RBAC insuficientes pueden conllevar a una exposici\u00f3n de datos de m\u00e9tricas. La mayor amenaza de esta vulnerabilidad es la confidencialidad."
}
],
"id": "CVE-2021-3503",
"lastModified": "2024-11-21T06:21:41.967",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-18T17:15:15.320",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3503"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1942693"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-c4r5-xvgw-2942"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wildfly/wildfly/pull/14136"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.redhat.com/browse/WFLY-11933"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/security/cve/CVE-2021-3503"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1942693"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/advisories/GHSA-c4r5-xvgw-2942"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/wildfly/wildfly/pull/14136"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.redhat.com/browse/WFLY-11933"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-03 20:29
Modified
2024-11-21 04:42
Severity ?
Summary
A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_enterprise_application_platform | 6.0.0 | |
| redhat | jboss_enterprise_application_platform | 7.0.0 | |
| redhat | wildfly | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B142ACCC-F7A9-4A3B-BE60-0D6691D5058D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "72A54BDA-311C-413B-8E4D-388AD65A170A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6DA8B57-1E07-4020-ACBF-3FAED3B768A4",
"versionEndIncluding": "16.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root."
},
{
"lang": "es",
"value": "Fue encontrado un fallo en las versiones de wildfly hasta la 16.0.0. Final que permitir\u00eda a los usuarios locales capaces de ejecutar el script init.d conllevar a procesos arbitrarios en el sistema. Un atacante podr\u00eda explotar esto modificando el archivo PID en /var/run/jboss-eap/ permitiendo que el script init.d termine cualquier proceso como root."
}
],
"id": "CVE-2019-3805",
"lastModified": "2024-11-21T04:42:34.620",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 4.7,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 3.4,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-03T20:29:01.263",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1106"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1107"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1108"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1140"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2413"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0727"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3805"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190517-0004/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1107"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1108"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1140"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2413"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2020:0727"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3805"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190517-0004/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-364"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
var-201905-0262
Vulnerability from variot
It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing. Wildfly Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RedHatWildfly is a JavaEE-based lightweight open source application server from RedHat. Elytronsubsystem is one of the security framework subsystems. Permissions and access control issues vulnerabilities exist in the ElytronManagedThread of the Elytron subsystem in the RedHatWildfly11 to 16 release. The vulnerability stems from the lack of effective permissions and access control measures for network systems or products.
The References section of this erratum contains a download link (you must log in to download the update).
The JBoss server process must be restarted for the update to take effect. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.2.1 on RHEL 7 security update Advisory ID: RHSA-2019:1108-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2019:1108 Issue date: 2019-05-08 CVE Names: CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14642 CVE-2018-14720 CVE-2018-14721 CVE-2019-3805 CVE-2019-3894 ==================================================================== 1. Summary:
An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss EAP 7.2 for RHEL 7 Server - noarch, x86_64
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on JBoss Application Server 7.
This release of Red Hat JBoss Enterprise Application Platform 7.2.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.0, and includes bug fixes and enhancements. Refer to the Red Hat JBoss Enterprise Application Platform 7.2.1 Release Notes for information on the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)
-
jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
-
jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
-
undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)
-
jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
-
jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)
-
wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)
-
wildfly: wrong SecurityIdentity for EE concurrency threads that are reused (CVE-2019-3894)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1628702 - CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver 1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library 1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis 1682108 - CVE-2019-3894 wildfly: wrong SecurityIdentity for EE concurrency threads that are reused
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-14861 - GSS Upgrade JBeret from 1.3.1.Final to 1.3.2.Final JBEAP-15392 - (7.2.z) Upgrade Apache CXF from 3.2.5 to 3.2.7 JBEAP-15477 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-4 JBEAP-15478 - (7.2.z) Upgrade PicketLink from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-4 JBEAP-15568 - GSS Upgrade ironjacamar from 1.4.11 Final to 1.4.15 Final JBEAP-15617 - (7.2.z) Upgrade WildFly Core from 6.0.11 to 6.0.12 JBEAP-15622 - GSS Upgrade jboss-el-api_spec from 1.0.12.Final to 1.0.13.Final JBEAP-15748 - GSS Upgrade jastow from 2.0.6.Final-redhat-00001 to 2.0.7.Final-redhat-00001 JBEAP-15805 - (7.2.z) Upgrade Hibernate ORM from 5.3.7 to 5.3.8 JBEAP-15851 - [ENG] (7.2.z) Upgrade Infinispan from 9.3.3.Final to 9.3.6.Final JBEAP-15869 - (7.2.z) Upgrade Undertow from 2.0.15 to 2.0.19 JBEAP-15876 - (7.2.z) Upgrade Artemis from 2.6.3.redhat-00014 to 2.6.3.redhat-00020 JBEAP-16025 - Upgrade yasson from 1.0.1 to 1.0.2 JBEAP-16037 - GSS Upgrade Narayana from 5.9.0.Final to 5.9.1.Final JBEAP-16086 - (7.2.z) Upgrade WildFly HTTP client from 1.0.12.Final to 1.0.13.Final JBEAP-16090 - GSS Upgrade jboss-ejb-client from 4.0.12 to 4.0.15 JBEAP-16091 - GSS Upgrade wildfly-transaction-client from 1.1.2.Final-redhat-1 to 1.1.3.Final-redhat-1 JBEAP-16112 - (7.2.z) Upgrade FasterXML Jackson from 2.9.5.redhat-2 to 2.9.8 JBEAP-16122 - [Runtimes] (7.2.z) Upgrade istack from 3.0.5.redhat-1 to 3.0.7.redhat-00001 JBEAP-16123 - [Runtimes] (7.2.x) Upgrade commons-digester from 1.8 to 1.8.1.redhat-4 JBEAP-16124 - [Runtimes] (7.2.x) Upgrade hornetq from 2.4.7.redhat-1 to 2.4.7.redhat-2 JBEAP-16125 - [Runtimes] (7.2.x) Upgrade org.jboss.genericjms from 2.0.1.Final-redhat-1 to 2.0.1.Final-redhat-00002 JBEAP-16137 - (7.2.z) (WFCORE) Upgrade FasterXML Jackson from 2.9.2 to 2.9.8 JBEAP-16146 - (7.2.z) Upgrade Elytron from 1.6.1.Final to 1.6.2.Final JBEAP-16147 - (7.2.z) Upgrade Elytron-Tool from 1.4.0 to 1.4.1.Final JBEAP-16234 - Tracker bug for the EAP 7.2.1 release for RHEL-7 JBEAP-16259 - (7.2.z) Upgrade legacy EJB Client from 3.0.2.Final-redhat-1 to 3.0.3.Final-redhat-1 JBEAP-16276 - (7.2.z) Upgrade elytron-web from 1.2.3.Final to 1.2.4.Final JBEAP-16321 - (7.2.z) HHH-13099 HHH-13283 Upgrade ByteBuddy from 1.8.17 to 1.9.5 JBEAP-16347 - (7.2.z) Upgrade jboss-logmanager from 2.1.5.Final-redhat-00001 to 2.1.7.Final JBEAP-16356 - (7.2.z) Upgrade RESTEasy from 3.6.1.SP2 to 3.6.1.SP3 JBEAP-16367 - (7.2.z) Upgrade commons-lang3 from 3.6.0-redhat-1 to 3.8-redhat-00001 JBEAP-16368 - (7.2.z) Upgrade cxf-xjc from 3.2.2.redhat-00001 to 3.2.3.redhat-00002 JBEAP-16369 - (7.2.z) Upgrade httpasyncclient from 4.1.3.redhat-2 to 4.1.4.redhat-00001 JBEAP-16381 - (7.2.z) Upgrade jboss-remoting-jmx from 3.0.0.Final to 3.0.1.Final JBEAP-16418 - (7.2.z) Upgrade Hibernate ORM from 5.3.8 to 5.3.9 JBEAP-9657 - (7.2.z) Upgrade jboss-negotiation from 3.0.4 to 3.0.5.Final-redhat-00001
- Package List:
Red Hat JBoss EAP 7.2 for RHEL 7 Server:
Source: eap7-activemq-artemis-2.6.3-5.redhat_00020.1.el7eap.src.rpm eap7-apache-commons-lang-3.8.0-1.redhat_00001.1.el7eap.src.rpm eap7-apache-cxf-3.2.7-1.redhat_00001.1.el7eap.src.rpm eap7-apache-cxf-xjc-utils-3.2.3-2.redhat_00002.1.el7eap.src.rpm eap7-artemis-native-2.6.3-15.redhat_00020.el7eap.src.rpm eap7-byte-buddy-1.9.5-1.redhat_00001.1.el7eap.src.rpm eap7-dom4j-2.1.1-2.redhat_00001.1.el7eap.src.rpm eap7-elytron-web-1.2.4-1.Final_redhat_00001.1.el7eap.src.rpm eap7-hibernate-5.3.9-2.Final_redhat_00002.1.el7eap.src.rpm eap7-httpcomponents-asyncclient-4.1.4-1.redhat_00001.1.el7eap.src.rpm eap7-infinispan-9.3.6-1.Final_redhat_00001.1.el7eap.src.rpm eap7-ironjacamar-1.4.15-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jackson-annotations-2.9.8-2.redhat_00004.1.el7eap.src.rpm eap7-jackson-core-2.9.8-2.redhat_00004.1.el7eap.src.rpm eap7-jackson-databind-2.9.8-2.redhat_00004.1.el7eap.src.rpm eap7-jackson-jaxrs-providers-2.9.8-2.redhat_00004.1.el7eap.src.rpm eap7-jackson-modules-base-2.9.8-1.redhat_00004.1.el7eap.src.rpm eap7-jackson-modules-java8-2.9.8-1.redhat_00004.1.el7eap.src.rpm eap7-jberet-1.3.2-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-ejb-client-4.0.15-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-el-api_3.0_spec-1.0.13-2.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-genericjms-2.0.1-2.Final_redhat_00002.1.el7eap.src.rpm eap7-jboss-logmanager-2.1.7-3.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-remoting-jmx-3.0.1-1.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-security-negotiation-3.0.5-2.Final_redhat_00001.1.el7eap.src.rpm eap7-jboss-server-migration-1.3.0-7.Final_redhat_00004.1.el7eap.src.rpm eap7-narayana-5.9.1-1.Final_redhat_00001.1.el7eap.src.rpm eap7-picketlink-bindings-2.5.5-16.SP12_redhat_4.1.el7eap.src.rpm eap7-picketlink-federation-2.5.5-16.SP12_redhat_4.1.el7eap.src.rpm eap7-resteasy-3.6.1-4.SP3_redhat_00001.1.el7eap.src.rpm eap7-sun-istack-commons-3.0.7-2.redhat_00001.1.el7eap.src.rpm eap7-undertow-2.0.19-1.Final_redhat_00001.1.el7eap.src.rpm eap7-undertow-jastow-2.0.7-2.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-7.2.1-6.GA_redhat_00004.1.el7eap.src.rpm eap7-wildfly-elytron-1.6.2-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-elytron-tool-1.4.1-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-http-client-1.0.13-1.Final_redhat_00001.1.el7eap.src.rpm eap7-wildfly-transaction-client-1.1.3-1.Final_redhat_00001.1.el7eap.src.rpm eap7-yasson-1.0.2-1.redhat_00001.1.el7eap.src.rpm
noarch: eap7-activemq-artemis-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-cli-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-commons-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-core-client-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-dto-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-hornetq-protocol-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-hqclient-protocol-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-jdbc-store-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-client-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-jms-server-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-journal-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-native-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-ra-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-selector-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-server-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-service-extensions-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-activemq-artemis-tools-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm eap7-apache-commons-lang-3.8.0-1.redhat_00001.1.el7eap.noarch.rpm eap7-apache-cxf-3.2.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-apache-cxf-rt-3.2.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-apache-cxf-services-3.2.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-apache-cxf-tools-3.2.7-1.redhat_00001.1.el7eap.noarch.rpm eap7-apache-cxf-xjc-utils-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm eap7-byte-buddy-1.9.5-1.redhat_00001.1.el7eap.noarch.rpm eap7-cxf-xjc-boolean-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm eap7-cxf-xjc-bug986-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm eap7-cxf-xjc-dv-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm eap7-cxf-xjc-runtime-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm eap7-cxf-xjc-ts-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm eap7-dom4j-2.1.1-2.redhat_00001.1.el7eap.noarch.rpm eap7-hibernate-5.3.9-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-hibernate-core-5.3.9-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-hibernate-entitymanager-5.3.9-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-hibernate-envers-5.3.9-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-hibernate-java8-5.3.9-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-httpcomponents-asyncclient-4.1.4-1.redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-cachestore-jdbc-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-cachestore-remote-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-client-hotrod-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-commons-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-core-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-api-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-api-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-ironjacamar-validator-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-istack-commons-runtime-3.0.7-2.redhat_00001.1.el7eap.noarch.rpm eap7-istack-commons-tools-3.0.7-2.redhat_00001.1.el7eap.noarch.rpm eap7-jackson-annotations-2.9.8-2.redhat_00004.1.el7eap.noarch.rpm eap7-jackson-core-2.9.8-2.redhat_00004.1.el7eap.noarch.rpm eap7-jackson-databind-2.9.8-2.redhat_00004.1.el7eap.noarch.rpm eap7-jackson-datatype-jdk8-2.9.8-1.redhat_00004.1.el7eap.noarch.rpm eap7-jackson-datatype-jsr310-2.9.8-1.redhat_00004.1.el7eap.noarch.rpm eap7-jackson-jaxrs-base-2.9.8-2.redhat_00004.1.el7eap.noarch.rpm eap7-jackson-jaxrs-json-provider-2.9.8-2.redhat_00004.1.el7eap.noarch.rpm eap7-jackson-module-jaxb-annotations-2.9.8-1.redhat_00004.1.el7eap.noarch.rpm eap7-jackson-modules-base-2.9.8-1.redhat_00004.1.el7eap.noarch.rpm eap7-jackson-modules-java8-2.9.8-1.redhat_00004.1.el7eap.noarch.rpm eap7-jberet-1.3.2-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jberet-core-1.3.2-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-ejb-client-4.0.15-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-el-api_3.0_spec-1.0.13-2.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-genericjms-2.0.1-2.Final_redhat_00002.1.el7eap.noarch.rpm eap7-jboss-logmanager-2.1.7-3.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-remoting-jmx-3.0.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-security-negotiation-3.0.5-2.Final_redhat_00001.1.el7eap.noarch.rpm eap7-jboss-server-migration-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-cli-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-core-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm eap7-narayana-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-compensations-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jbosstxbridge-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jbossxts-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jts-idlj-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-jts-integration-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-api-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-bridge-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-integration-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-restat-util-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-narayana-txframework-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-picketlink-api-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm eap7-picketlink-bindings-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm eap7-picketlink-common-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm eap7-picketlink-config-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm eap7-picketlink-federation-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm eap7-picketlink-idm-api-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm eap7-picketlink-idm-impl-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm eap7-picketlink-idm-simple-schema-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm eap7-picketlink-impl-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm eap7-picketlink-wildfly8-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm eap7-resteasy-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-atom-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-cdi-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-client-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-client-microprofile-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-crypto-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jackson-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jackson2-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jaxb-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jaxrs-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jettison-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jose-jwt-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-jsapi-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-json-binding-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-json-p-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-multipart-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-rxjava2-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-spring-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-validator-provider-11-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-resteasy-yaml-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm eap7-sun-istack-commons-3.0.7-2.redhat_00001.1.el7eap.noarch.rpm eap7-undertow-2.0.19-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-undertow-jastow-2.0.7-2.Final_redhat_00001.1.el7eap.noarch.rpm eap7-undertow-server-1.2.4-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-7.2.1-6.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-elytron-1.6.2-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-elytron-tool-1.4.1-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-client-common-1.0.13-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.13-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.13-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.13-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-wildfly-java-jdk11-7.2.1-6.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-java-jdk8-7.2.1-6.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-javadocs-7.2.1-6.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-modules-7.2.1-6.GA_redhat_00004.1.el7eap.noarch.rpm eap7-wildfly-transaction-client-1.1.3-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-yasson-1.0.2-1.redhat_00001.1.el7eap.noarch.rpm
x86_64: eap7-artemis-native-2.6.3-15.redhat_00020.el7eap.x86_64.rpm eap7-artemis-native-wildfly-2.6.3-15.redhat_00020.el7eap.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2018-11307 https://access.redhat.com/security/cve/CVE-2018-12022 https://access.redhat.com/security/cve/CVE-2018-12023 https://access.redhat.com/security/cve/CVE-2018-14642 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/cve/CVE-2019-3894 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXNLIE9zjgjWX9erEAQglKw/+JyHe4joco43PeWiW+gtOUi1LmK+vvmA/ gkH43MSvriK9Skka+B0ZkTDUvIOe12f4be3IOpN3utcEcDHa/FgvsGZDnSSEsqRl 4W0cPWOFpeGw1NxgeP/wyHl/ccuwmFgXyxOstqx3T93HsVLBteQfjDM/TNbRATPu ESGwZbdJFWaGHTrYzK2U1z7kvWeG81Qc+nTzD52HT8Gl2Ru8Joy7cYhH2h42vLra PMOM5R7EWKINRFlIwPAO4rtvkZh+NfpViMvxcVxoObRue4FuAnoToZiyo50daPQI 0GSvYcPlUB6eVttOmQuq63j4pypm+p7uEf4gFkOc0n38RaiiRx7TLdAoRwjg/oL+ 9gKnDg1uXOy0UOLiQbYSQXTQiN/5fo5cpGJ2y0VCI/bWcULq4owLrwzGbcRS2kN1 RB94DglvRUcqbIcC3FIDKA6pUEAqyNL8j4moQfjvmxDHtdkFbWdMVyCPsVnqeRpi bXpTDQhsrdIEM6Hvmc16Zoli2vurhhwTOSEh5eBOP6H29UOduZRUA5Bi7QazgdOj B+NLXH2088Xy+bTvu9xv5iFBQ47Kp/EEvFr+xqU9sVzggIXpyLgn5G03/GOAKkJ7 DHVygbhSYgeopJnFD1vD1Xz5cQHwoFwao00DXti3rUi9FbcQR0H/UQSmNq/OujOk Jr14u9JZfcw=EHUv -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201905-0262",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "wildfly",
"scope": "gte",
"trust": 1.0,
"vendor": "redhat",
"version": "11.0.0"
},
{
"model": "jboss enterprise application platform",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0.0"
},
{
"model": "wildfly",
"scope": "lte",
"trust": 1.0,
"vendor": "redhat",
"version": "16.0.0"
},
{
"model": "jboss enterprise application platform",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"model": "wildfly",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "11 to 16"
},
{
"model": "hat wildfly",
"scope": "gte",
"trust": 0.6,
"vendor": "red",
"version": "11\u003c=16"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14824"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004452"
},
{
"db": "NVD",
"id": "CVE-2019-3894"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "16.0.0",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-3894"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "152764"
},
{
"db": "PACKETSTORM",
"id": "152765"
},
{
"db": "PACKETSTORM",
"id": "152766"
},
{
"db": "PACKETSTORM",
"id": "152779"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-108"
}
],
"trust": 1.0
},
"cve": "CVE-2019-3894",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "Partial",
"baseScore": 6.5,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "CVE-2019-3894",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.0,
"id": "CNVD-2019-14824",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "secalert@redhat.com",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 8.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2019-3894",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-3894",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "secalert@redhat.com",
"id": "CVE-2019-3894",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2019-14824",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201905-108",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2019-3894",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14824"
},
{
"db": "VULMON",
"id": "CVE-2019-3894"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004452"
},
{
"db": "NVD",
"id": "CVE-2019-3894"
},
{
"db": "NVD",
"id": "CVE-2019-3894"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-108"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "It was discovered that the ElytronManagedThread in Wildfly\u0027s Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing. Wildfly Contains vulnerabilities related to authorization, permissions, and access control.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. RedHatWildfly is a JavaEE-based lightweight open source application server from RedHat. Elytronsubsystem is one of the security framework subsystems. Permissions and access control issues vulnerabilities exist in the ElytronManagedThread of the Elytron subsystem in the RedHatWildfly11 to 16 release. The vulnerability stems from the lack of effective permissions and access control measures for network systems or products. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\nThe JBoss server process must be restarted for the update to take effect. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: Red Hat JBoss Enterprise Application Platform 7.2.1 on RHEL 7 security update\nAdvisory ID: RHSA-2019:1108-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2019:1108\nIssue date: 2019-05-08\nCVE Names: CVE-2018-11307 CVE-2018-12022 CVE-2018-12023\n CVE-2018-14642 CVE-2018-14720 CVE-2018-14721\n CVE-2019-3805 CVE-2019-3894\n====================================================================\n1. Summary:\n\nAn update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.2 for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss EAP 7.2 for RHEL 7 Server - noarch, x86_64\n\n3. Description:\n\nRed Hat JBoss Enterprise Application Platform 7 is a platform for Java\napplications based on JBoss Application Server 7. \n\nThis release of Red Hat JBoss Enterprise Application Platform 7.2.1 serves\nas a replacement for Red Hat JBoss Enterprise Application Platform 7.2.0,\nand includes bug fixes and enhancements. Refer to the Red Hat JBoss\nEnterprise Application Platform 7.2.1 Release Notes for information on the\nmost significant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* jackson-databind: Potential information exfiltration with default typing,\nserialization gadget from MyBatis (CVE-2018-11307)\n\n* jackson-databind: improper polymorphic deserialization of types from\nJodd-db library (CVE-2018-12022)\n\n* jackson-databind: improper polymorphic deserialization of types from\nOracle JDBC driver (CVE-2018-12023)\n\n* undertow: Infoleak in some circumstances where Undertow can serve data\nfrom a random buffer (CVE-2018-14642)\n\n* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)\n\n* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class\n(CVE-2018-14721)\n\n* wildfly: Race condition on PID file allows for termination of arbitrary\nprocesses by local users (CVE-2019-3805)\n\n* wildfly: wrong SecurityIdentity for EE concurrency threads that are\nreused (CVE-2019-3894)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. \n\n4. Solution:\n\nBefore applying this update, back up your existing Red Hat JBoss Enterprise\nApplication Platform installation and deployed applications. \n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1628702 - CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer\n1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users\n1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes\n1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class\n1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver\n1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library\n1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis\n1682108 - CVE-2019-3894 wildfly: wrong SecurityIdentity for EE concurrency threads that are reused\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-14861 - [GSS](7.2.z) Upgrade JBeret from 1.3.1.Final to 1.3.2.Final\nJBEAP-15392 - (7.2.z) Upgrade Apache CXF from 3.2.5 to 3.2.7\nJBEAP-15477 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-4\nJBEAP-15478 - (7.2.z) Upgrade PicketLink from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-4\nJBEAP-15568 - [GSS](7.2.z) Upgrade ironjacamar from 1.4.11 Final to 1.4.15 Final\nJBEAP-15617 - (7.2.z) Upgrade WildFly Core from 6.0.11 to 6.0.12\nJBEAP-15622 - [GSS](7.2.z) Upgrade jboss-el-api_spec from 1.0.12.Final to 1.0.13.Final\nJBEAP-15748 - [GSS](7.2.z) Upgrade jastow from 2.0.6.Final-redhat-00001 to 2.0.7.Final-redhat-00001\nJBEAP-15805 - (7.2.z) Upgrade Hibernate ORM from 5.3.7 to 5.3.8\nJBEAP-15851 - [ENG] (7.2.z) Upgrade Infinispan from 9.3.3.Final to 9.3.6.Final\nJBEAP-15869 - (7.2.z) Upgrade Undertow from 2.0.15 to 2.0.19\nJBEAP-15876 - (7.2.z) Upgrade Artemis from 2.6.3.redhat-00014 to 2.6.3.redhat-00020\nJBEAP-16025 - Upgrade yasson from 1.0.1 to 1.0.2\nJBEAP-16037 - [GSS](7.2.z) Upgrade Narayana from 5.9.0.Final to 5.9.1.Final\nJBEAP-16086 - (7.2.z) Upgrade WildFly HTTP client from 1.0.12.Final to 1.0.13.Final\nJBEAP-16090 - [GSS](7.2.z) Upgrade jboss-ejb-client from 4.0.12 to 4.0.15\nJBEAP-16091 - [GSS](7.2.z) Upgrade wildfly-transaction-client from 1.1.2.Final-redhat-1 to 1.1.3.Final-redhat-1\nJBEAP-16112 - (7.2.z) Upgrade FasterXML Jackson from 2.9.5.redhat-2 to 2.9.8\nJBEAP-16122 - [Runtimes] (7.2.z) Upgrade istack from 3.0.5.redhat-1 to 3.0.7.redhat-00001\nJBEAP-16123 - [Runtimes] (7.2.x) Upgrade commons-digester from 1.8 to 1.8.1.redhat-4\nJBEAP-16124 - [Runtimes] (7.2.x) Upgrade hornetq from 2.4.7.redhat-1 to 2.4.7.redhat-2\nJBEAP-16125 - [Runtimes] (7.2.x) Upgrade org.jboss.genericjms from 2.0.1.Final-redhat-1 to 2.0.1.Final-redhat-00002\nJBEAP-16137 - (7.2.z) (WFCORE) Upgrade FasterXML Jackson from 2.9.2 to 2.9.8\nJBEAP-16146 - (7.2.z) Upgrade Elytron from 1.6.1.Final to 1.6.2.Final\nJBEAP-16147 - (7.2.z) Upgrade Elytron-Tool from 1.4.0 to 1.4.1.Final\nJBEAP-16234 - Tracker bug for the EAP 7.2.1 release for RHEL-7\nJBEAP-16259 - (7.2.z) Upgrade legacy EJB Client from 3.0.2.Final-redhat-1 to 3.0.3.Final-redhat-1\nJBEAP-16276 - (7.2.z) Upgrade elytron-web from 1.2.3.Final to 1.2.4.Final\nJBEAP-16321 - (7.2.z) HHH-13099 HHH-13283 Upgrade ByteBuddy from 1.8.17 to 1.9.5\nJBEAP-16347 - (7.2.z) Upgrade jboss-logmanager from 2.1.5.Final-redhat-00001 to 2.1.7.Final\nJBEAP-16356 - (7.2.z) Upgrade RESTEasy from 3.6.1.SP2 to 3.6.1.SP3\nJBEAP-16367 - (7.2.z) Upgrade commons-lang3 from 3.6.0-redhat-1 to 3.8-redhat-00001\nJBEAP-16368 - (7.2.z) Upgrade cxf-xjc from 3.2.2.redhat-00001 to 3.2.3.redhat-00002\nJBEAP-16369 - (7.2.z) Upgrade httpasyncclient from 4.1.3.redhat-2 to 4.1.4.redhat-00001\nJBEAP-16381 - (7.2.z) Upgrade jboss-remoting-jmx from 3.0.0.Final to 3.0.1.Final\nJBEAP-16418 - (7.2.z) Upgrade Hibernate ORM from 5.3.8 to 5.3.9\nJBEAP-9657 - (7.2.z) Upgrade jboss-negotiation from 3.0.4 to 3.0.5.Final-redhat-00001\n\n7. Package List:\n\nRed Hat JBoss EAP 7.2 for RHEL 7 Server:\n\nSource:\neap7-activemq-artemis-2.6.3-5.redhat_00020.1.el7eap.src.rpm\neap7-apache-commons-lang-3.8.0-1.redhat_00001.1.el7eap.src.rpm\neap7-apache-cxf-3.2.7-1.redhat_00001.1.el7eap.src.rpm\neap7-apache-cxf-xjc-utils-3.2.3-2.redhat_00002.1.el7eap.src.rpm\neap7-artemis-native-2.6.3-15.redhat_00020.el7eap.src.rpm\neap7-byte-buddy-1.9.5-1.redhat_00001.1.el7eap.src.rpm\neap7-dom4j-2.1.1-2.redhat_00001.1.el7eap.src.rpm\neap7-elytron-web-1.2.4-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-hibernate-5.3.9-2.Final_redhat_00002.1.el7eap.src.rpm\neap7-httpcomponents-asyncclient-4.1.4-1.redhat_00001.1.el7eap.src.rpm\neap7-infinispan-9.3.6-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-ironjacamar-1.4.15-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jackson-annotations-2.9.8-2.redhat_00004.1.el7eap.src.rpm\neap7-jackson-core-2.9.8-2.redhat_00004.1.el7eap.src.rpm\neap7-jackson-databind-2.9.8-2.redhat_00004.1.el7eap.src.rpm\neap7-jackson-jaxrs-providers-2.9.8-2.redhat_00004.1.el7eap.src.rpm\neap7-jackson-modules-base-2.9.8-1.redhat_00004.1.el7eap.src.rpm\neap7-jackson-modules-java8-2.9.8-1.redhat_00004.1.el7eap.src.rpm\neap7-jberet-1.3.2-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-ejb-client-4.0.15-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-el-api_3.0_spec-1.0.13-2.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-genericjms-2.0.1-2.Final_redhat_00002.1.el7eap.src.rpm\neap7-jboss-logmanager-2.1.7-3.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-remoting-jmx-3.0.1-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-security-negotiation-3.0.5-2.Final_redhat_00001.1.el7eap.src.rpm\neap7-jboss-server-migration-1.3.0-7.Final_redhat_00004.1.el7eap.src.rpm\neap7-narayana-5.9.1-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-picketlink-bindings-2.5.5-16.SP12_redhat_4.1.el7eap.src.rpm\neap7-picketlink-federation-2.5.5-16.SP12_redhat_4.1.el7eap.src.rpm\neap7-resteasy-3.6.1-4.SP3_redhat_00001.1.el7eap.src.rpm\neap7-sun-istack-commons-3.0.7-2.redhat_00001.1.el7eap.src.rpm\neap7-undertow-2.0.19-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-undertow-jastow-2.0.7-2.Final_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-7.2.1-6.GA_redhat_00004.1.el7eap.src.rpm\neap7-wildfly-elytron-1.6.2-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-elytron-tool-1.4.1-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-http-client-1.0.13-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-wildfly-transaction-client-1.1.3-1.Final_redhat_00001.1.el7eap.src.rpm\neap7-yasson-1.0.2-1.redhat_00001.1.el7eap.src.rpm\n\nnoarch:\neap7-activemq-artemis-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-cli-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-commons-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-core-client-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-dto-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-hornetq-protocol-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-hqclient-protocol-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-jdbc-store-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-jms-client-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-jms-server-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-journal-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-native-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-ra-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-selector-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-server-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-service-extensions-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-activemq-artemis-tools-2.6.3-5.redhat_00020.1.el7eap.noarch.rpm\neap7-apache-commons-lang-3.8.0-1.redhat_00001.1.el7eap.noarch.rpm\neap7-apache-cxf-3.2.7-1.redhat_00001.1.el7eap.noarch.rpm\neap7-apache-cxf-rt-3.2.7-1.redhat_00001.1.el7eap.noarch.rpm\neap7-apache-cxf-services-3.2.7-1.redhat_00001.1.el7eap.noarch.rpm\neap7-apache-cxf-tools-3.2.7-1.redhat_00001.1.el7eap.noarch.rpm\neap7-apache-cxf-xjc-utils-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm\neap7-byte-buddy-1.9.5-1.redhat_00001.1.el7eap.noarch.rpm\neap7-cxf-xjc-boolean-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm\neap7-cxf-xjc-bug986-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm\neap7-cxf-xjc-dv-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm\neap7-cxf-xjc-runtime-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm\neap7-cxf-xjc-ts-3.2.3-2.redhat_00002.1.el7eap.noarch.rpm\neap7-dom4j-2.1.1-2.redhat_00001.1.el7eap.noarch.rpm\neap7-hibernate-5.3.9-2.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-hibernate-core-5.3.9-2.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-hibernate-entitymanager-5.3.9-2.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-hibernate-envers-5.3.9-2.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-hibernate-java8-5.3.9-2.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-httpcomponents-asyncclient-4.1.4-1.redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-cachestore-jdbc-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-cachestore-remote-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-client-hotrod-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-commons-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-core-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-hibernate-cache-commons-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-hibernate-cache-spi-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-infinispan-hibernate-cache-v53-9.3.6-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-common-api-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-common-impl-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-common-spi-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-core-api-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-core-impl-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-deployers-common-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-jdbc-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-ironjacamar-validator-1.4.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-istack-commons-runtime-3.0.7-2.redhat_00001.1.el7eap.noarch.rpm\neap7-istack-commons-tools-3.0.7-2.redhat_00001.1.el7eap.noarch.rpm\neap7-jackson-annotations-2.9.8-2.redhat_00004.1.el7eap.noarch.rpm\neap7-jackson-core-2.9.8-2.redhat_00004.1.el7eap.noarch.rpm\neap7-jackson-databind-2.9.8-2.redhat_00004.1.el7eap.noarch.rpm\neap7-jackson-datatype-jdk8-2.9.8-1.redhat_00004.1.el7eap.noarch.rpm\neap7-jackson-datatype-jsr310-2.9.8-1.redhat_00004.1.el7eap.noarch.rpm\neap7-jackson-jaxrs-base-2.9.8-2.redhat_00004.1.el7eap.noarch.rpm\neap7-jackson-jaxrs-json-provider-2.9.8-2.redhat_00004.1.el7eap.noarch.rpm\neap7-jackson-module-jaxb-annotations-2.9.8-1.redhat_00004.1.el7eap.noarch.rpm\neap7-jackson-modules-base-2.9.8-1.redhat_00004.1.el7eap.noarch.rpm\neap7-jackson-modules-java8-2.9.8-1.redhat_00004.1.el7eap.noarch.rpm\neap7-jberet-1.3.2-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jberet-core-1.3.2-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-ejb-client-4.0.15-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-el-api_3.0_spec-1.0.13-2.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-genericjms-2.0.1-2.Final_redhat_00002.1.el7eap.noarch.rpm\neap7-jboss-logmanager-2.1.7-3.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-remoting-jmx-3.0.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-security-negotiation-3.0.5-2.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-jboss-server-migration-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-cli-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-core-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-eap6.4-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-eap7.0-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-eap7.1-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.0-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.1-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly11.0-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly12.0-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly13.0-server-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly8.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly9.0-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.0-7.Final_redhat_00004.1.el7eap.noarch.rpm\neap7-narayana-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-narayana-compensations-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-narayana-jbosstxbridge-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-narayana-jbossxts-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-narayana-jts-idlj-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-narayana-jts-integration-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-narayana-restat-api-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-narayana-restat-bridge-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-narayana-restat-integration-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-narayana-restat-util-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-narayana-txframework-5.9.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-picketlink-api-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm\neap7-picketlink-bindings-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm\neap7-picketlink-common-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm\neap7-picketlink-config-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm\neap7-picketlink-federation-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm\neap7-picketlink-idm-api-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm\neap7-picketlink-idm-impl-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm\neap7-picketlink-idm-simple-schema-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm\neap7-picketlink-impl-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm\neap7-picketlink-wildfly8-2.5.5-16.SP12_redhat_4.1.el7eap.noarch.rpm\neap7-resteasy-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-atom-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-cdi-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-client-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-client-microprofile-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-crypto-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jackson-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jackson2-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jaxb-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jaxrs-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jettison-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jose-jwt-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-jsapi-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-json-binding-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-json-p-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-multipart-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-rxjava2-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-spring-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-validator-provider-11-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-resteasy-yaml-provider-3.6.1-4.SP3_redhat_00001.1.el7eap.noarch.rpm\neap7-sun-istack-commons-3.0.7-2.redhat_00001.1.el7eap.noarch.rpm\neap7-undertow-2.0.19-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-undertow-jastow-2.0.7-2.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-undertow-server-1.2.4-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-7.2.1-6.GA_redhat_00004.1.el7eap.noarch.rpm\neap7-wildfly-elytron-1.6.2-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-elytron-tool-1.4.1-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-client-common-1.0.13-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-ejb-client-1.0.13-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-naming-client-1.0.13-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-http-transaction-client-1.0.13-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-wildfly-java-jdk11-7.2.1-6.GA_redhat_00004.1.el7eap.noarch.rpm\neap7-wildfly-java-jdk8-7.2.1-6.GA_redhat_00004.1.el7eap.noarch.rpm\neap7-wildfly-javadocs-7.2.1-6.GA_redhat_00004.1.el7eap.noarch.rpm\neap7-wildfly-modules-7.2.1-6.GA_redhat_00004.1.el7eap.noarch.rpm\neap7-wildfly-transaction-client-1.1.3-1.Final_redhat_00001.1.el7eap.noarch.rpm\neap7-yasson-1.0.2-1.redhat_00001.1.el7eap.noarch.rpm\n\nx86_64:\neap7-artemis-native-2.6.3-15.redhat_00020.el7eap.x86_64.rpm\neap7-artemis-native-wildfly-2.6.3-15.redhat_00020.el7eap.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-11307\nhttps://access.redhat.com/security/cve/CVE-2018-12022\nhttps://access.redhat.com/security/cve/CVE-2018-12023\nhttps://access.redhat.com/security/cve/CVE-2018-14642\nhttps://access.redhat.com/security/cve/CVE-2018-14720\nhttps://access.redhat.com/security/cve/CVE-2018-14721\nhttps://access.redhat.com/security/cve/CVE-2019-3805\nhttps://access.redhat.com/security/cve/CVE-2019-3894\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/\n\n9. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2019 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXNLIE9zjgjWX9erEAQglKw/+JyHe4joco43PeWiW+gtOUi1LmK+vvmA/\ngkH43MSvriK9Skka+B0ZkTDUvIOe12f4be3IOpN3utcEcDHa/FgvsGZDnSSEsqRl\n4W0cPWOFpeGw1NxgeP/wyHl/ccuwmFgXyxOstqx3T93HsVLBteQfjDM/TNbRATPu\nESGwZbdJFWaGHTrYzK2U1z7kvWeG81Qc+nTzD52HT8Gl2Ru8Joy7cYhH2h42vLra\nPMOM5R7EWKINRFlIwPAO4rtvkZh+NfpViMvxcVxoObRue4FuAnoToZiyo50daPQI\n0GSvYcPlUB6eVttOmQuq63j4pypm+p7uEf4gFkOc0n38RaiiRx7TLdAoRwjg/oL+\n9gKnDg1uXOy0UOLiQbYSQXTQiN/5fo5cpGJ2y0VCI/bWcULq4owLrwzGbcRS2kN1\nRB94DglvRUcqbIcC3FIDKA6pUEAqyNL8j4moQfjvmxDHtdkFbWdMVyCPsVnqeRpi\nbXpTDQhsrdIEM6Hvmc16Zoli2vurhhwTOSEh5eBOP6H29UOduZRUA5Bi7QazgdOj\nB+NLXH2088Xy+bTvu9xv5iFBQ47Kp/EEvFr+xqU9sVzggIXpyLgn5G03/GOAKkJ7\nDHVygbhSYgeopJnFD1vD1Xz5cQHwoFwao00DXti3rUi9FbcQR0H/UQSmNq/OujOk\nJr14u9JZfcw=EHUv\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-3894"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004452"
},
{
"db": "CNVD",
"id": "CNVD-2019-14824"
},
{
"db": "VULMON",
"id": "CVE-2019-3894"
},
{
"db": "PACKETSTORM",
"id": "152764"
},
{
"db": "PACKETSTORM",
"id": "152765"
},
{
"db": "PACKETSTORM",
"id": "152766"
},
{
"db": "PACKETSTORM",
"id": "152779"
}
],
"trust": 2.61
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-3894",
"trust": 3.5
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004452",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "152766",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "152779",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-14824",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.1618",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.1638",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201905-108",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2019-3894",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "152764",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "152765",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14824"
},
{
"db": "VULMON",
"id": "CVE-2019-3894"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004452"
},
{
"db": "PACKETSTORM",
"id": "152764"
},
{
"db": "PACKETSTORM",
"id": "152765"
},
{
"db": "PACKETSTORM",
"id": "152766"
},
{
"db": "PACKETSTORM",
"id": "152779"
},
{
"db": "NVD",
"id": "CVE-2019-3894"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-108"
}
]
},
"id": "VAR-201905-0262",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14824"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14824"
}
]
},
"last_update_date": "2023-12-18T10:55:07.884000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Bug 1682108",
"trust": 0.8,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-3894"
},
{
"title": "RHSA-2019:1106",
"trust": 0.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1106"
},
{
"title": "RHSA-2019:1107",
"trust": 0.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1107"
},
{
"title": "RHSA-2019:1108",
"trust": 0.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1108"
},
{
"title": "RHSA-2019:1140",
"trust": 0.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1140"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.1 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20191106 - security advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.1 on RHEL 6 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20191107 - security advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.1 on RHEL 7 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20191108 - security advisory"
},
{
"title": "Red Hat: Important: Red Hat Single Sign-On 7.3.1 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20191140 - security advisory"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-3894"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004452"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-noinfo",
"trust": 1.0
},
{
"problemtype": "CWE-264",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-004452"
},
{
"db": "NVD",
"id": "CVE-2019-3894"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://access.redhat.com/errata/rhsa-2019:1106"
},
{
"trust": 2.4,
"url": "https://access.redhat.com/errata/rhsa-2019:1140"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1108"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1107"
},
{
"trust": 1.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3894"
},
{
"trust": 1.7,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-3894"
},
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20190517-0004/"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3894"
},
{
"trust": 0.6,
"url": "https://web.nvd.nist.gov//vuln/detail/cve-2019-3894"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/152779/red-hat-security-advisory-2019-1140-01.html"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/red-hat-jboss-enterprise-application-platform-wildfly-privilege-escalation-via-elytronmanagedthread-29228"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/152766/red-hat-security-advisory-2019-1107-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/80598"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/80514"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14642"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14720"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-12022"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2018-14720"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-12023"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.4,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2018-12023"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2018-14642"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2018-14721"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2018-12022"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11307"
},
{
"trust": 0.4,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14721"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2019-3894"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2018-11307"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2019-3805"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3805"
},
{
"trust": 0.3,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform\u0026downloadtype=securitypatches\u0026version=7.2"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-3868"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches\u0026product=core.service.rhsso\u0026version=7.3"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3868"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14824"
},
{
"db": "VULMON",
"id": "CVE-2019-3894"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004452"
},
{
"db": "PACKETSTORM",
"id": "152764"
},
{
"db": "PACKETSTORM",
"id": "152765"
},
{
"db": "PACKETSTORM",
"id": "152766"
},
{
"db": "PACKETSTORM",
"id": "152779"
},
{
"db": "NVD",
"id": "CVE-2019-3894"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-108"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-14824"
},
{
"db": "VULMON",
"id": "CVE-2019-3894"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-004452"
},
{
"db": "PACKETSTORM",
"id": "152764"
},
{
"db": "PACKETSTORM",
"id": "152765"
},
{
"db": "PACKETSTORM",
"id": "152766"
},
{
"db": "PACKETSTORM",
"id": "152779"
},
{
"db": "NVD",
"id": "CVE-2019-3894"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-108"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-05-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-14824"
},
{
"date": "2019-05-03T00:00:00",
"db": "VULMON",
"id": "CVE-2019-3894"
},
{
"date": "2019-06-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-004452"
},
{
"date": "2019-05-08T17:45:48",
"db": "PACKETSTORM",
"id": "152764"
},
{
"date": "2019-05-08T17:45:55",
"db": "PACKETSTORM",
"id": "152765"
},
{
"date": "2019-05-08T17:46:03",
"db": "PACKETSTORM",
"id": "152766"
},
{
"date": "2019-05-09T10:21:11",
"db": "PACKETSTORM",
"id": "152779"
},
{
"date": "2019-05-03T20:29:01.327000",
"db": "NVD",
"id": "CVE-2019-3894"
},
{
"date": "2019-05-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201905-108"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-05-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-14824"
},
{
"date": "2020-10-15T00:00:00",
"db": "VULMON",
"id": "CVE-2019-3894"
},
{
"date": "2019-06-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-004452"
},
{
"date": "2020-10-15T19:50:03.567000",
"db": "NVD",
"id": "CVE-2019-3894"
},
{
"date": "2020-10-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201905-108"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201905-108"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Wildfly Vulnerabilities related to authorization, permissions, and access control",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-004452"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "permissions and access control issues",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201905-108"
}
],
"trust": 0.6
}
}
var-202105-1311
Vulnerability from variot
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. Wildfly Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Red Hat Wildfly is a lightweight open source application server based on JavaEE from Red Hat.
Red Hat Wildfly versions prior to 23.0.2 have cross-site scripting vulnerabilities. An attacker can exploit this vulnerability by adding a payload in the name field to cause cross-site scripting.
The References section of this erratum contains a download link (you must log in to download the update).
The JBoss server process must be restarted for the update to take effect. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.8 on RHEL 7 security update Advisory ID: RHSA-2021:2693-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2021:2693 Issue date: 2021-07-13 CVE Names: CVE-2021-3536 CVE-2021-21409 =====================================================================
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- See the Red Hat JBoss Enterprise Application Platform 7.3.8 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
netty: Request smuggling via content-length header (CVE-2021-21409)
-
wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-20264 - GSS ISPN-12787 - Non Transactional Cache needs to be invalidated after commit on JPQL update/delete operation JBEAP-20503 - GSS WFCORE-5185 - Update ProviderDefinition to use optimised service loading API JBEAP-20623 - GSS Upgrade Hibernate ORM from 5.3.20.Final-redhat-00001 to 5.3.20.SP1-redhat-00001 JBEAP-21179 - Tracker bug for the EAP 7.3.8 release for RHEL-7 JBEAP-21406 - GSS Upgrade Ironjacamar from 1.4.30.Final-redhat-00001 to 1.4.33.Final-redhat-00001 JBEAP-21421 - (7.3.z) Upgrade Infinispan from 9.4.22.Final-redhat-00001 to 9.4.23.Final-redhat-00001 JBEAP-21434 - (7.3.z) Upgrade wildfly-http-client from 1.0.26.Final-redhat-00001 to 1.0.28.Final-redhat-00001 JBEAP-21435 - (7.3.z) Upgrade Elytron from 1.10.12.Final-redhat-00001 to 1.10.13.Final-redhat-00001 JBEAP-21437 - (7.3.z) Upgrade netty from 4.1.60.Final to 4.1.63 JBEAP-21441 - (7.3.z) Upgrade Undertow from 2.0.35.SP1-redhat-00001 to 2.0.38.SP1-redhat-00001 JBEAP-21443 - (7.3.z) Upgrade jberet from 1.3.7.Final-redhat-00001 to 1.3.8.Final-redhat-00001 JBEAP-21444 - (7.3.z) Upgrade wf-core from 10.1.20.Final-redhat-00001 to 10.1.21.Final-redhat-00001 JBEAP-21567 - GSS Upgrade HAL from 3.2.14.Final-redhat-00001 to 3.2.15.Final-redhat-00001 JBEAP-21582 - (7.3.z) Upgrade remoting from 5.0.20.SP1-redhat-00001 to 5.0.23.Final-redhat-00001 JBEAP-21739 - (7.3.z) Upgrade elytron-web from 1.6.2.Final-redhat-00001 to 1.6.3.Final-redhat-00001 JBEAP-21977 - SET Update product CP branch github template
-
Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
-
References:
https://access.redhat.com/security/cve/CVE-2021-3536 https://access.redhat.com/security/cve/CVE-2021-21409 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYO2On9zjgjWX9erEAQhKOQ//afEATx0pRuRfFiXicDmjCwDz8CcXrDwf 8fgmVfpCRsDORqZJKVcQGKlN2aBagbnLfkLK2U5zbqYTT4iJBQgQmUuVWF7n6Trx TGyiBrIlCiE6Horext2mmtnb96TRR0b43BGU2BBtEPcq/puwYbvJYiwvPfCx3+nF oXm82ACKfqhP+2ErJC23/qBhN4WtL/bF5Md20nhHC2gXZka5YV2VM7/j+wzltnaH t5gtESPQ074POF7jUvinbdrSDzbz+Q5FFaOVEZrpdpxVFTX/zpJxaPQnflkrArk0 P5hqKiUg4lhA/98pFdCOL4yFUAZ+dIpBaN3sMhd8Um1ovnegMb0sV4S0XPaJxUWg BuMEO/f3H9T/YNX3RXNjA+iNY7W6CkGpfFjoMaDrd4ZKyR2HStMyqXBHylBNdyWS IeMbcJnYAG+L1agV/dkbaqJFxa4dHIefKTRnxxM6fpHPp4JbDx62p4/qGLU39JwR WQwwo6bQWefkytn/+tBAvjZHs59dvGGa9BSMukPgOs3pYFbLHNnRPBczTgRNP71h do3Kyi0BMEuG1P+GkJpAqLJBS4pxZNmZeRvEMzTEepn+iL9pplfq2lffesH4JZ4Y dG+0Ne+d1g3nM4QWdu/s64hfBt9cuYBXsnnpuG/Yt5yLYSrqfTcLpOQGfD8V6qwx otJ1DTehKNw= =tObI -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Installation instructions are available from the Fuse 7.10.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/
- Bugs fixed (https://bugzilla.redhat.com/):
1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation 1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 1948001 - CVE-2021-3536 wildfly: XSS via admin console when creating roles in domain mode 1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate 1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS 1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer 1991299 - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS
5
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202105-1311",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "build of quarkus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": null
},
{
"model": "integration camel k",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": null
},
{
"model": "integration service registry",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": null
},
{
"model": "data grid",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "8.0"
},
{
"model": "integration camel quarkus",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": null
},
{
"model": "jboss enterprise application platform",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "jboss a-mq",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7"
},
{
"model": "wildfly",
"scope": "lt",
"trust": 1.0,
"vendor": "redhat",
"version": "23.0.2"
},
{
"model": "descision manager",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "integration service registry",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "integration camel k",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "descision manager",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "red hat jboss a-mq",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "jboss enterprise application platform",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "integration camel quarkus",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "wildfly",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "jboss data grid",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "build of quarkus",
"scope": null,
"trust": 0.8,
"vendor": "\u30ec\u30c3\u30c9\u30cf\u30c3\u30c8",
"version": null
},
{
"model": "hat wildfly",
"scope": "lt",
"trust": 0.6,
"vendor": "red",
"version": "23.0.2"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-37277"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007113"
},
{
"db": "NVD",
"id": "CVE-2021-3536"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:data_grid:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:descision_manager:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:integration_camel_quarkus:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:integration_service_registry:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_a-mq:7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "23.0.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2021-3536"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "163480"
},
{
"db": "PACKETSTORM",
"id": "163483"
},
{
"db": "PACKETSTORM",
"id": "163485"
},
{
"db": "PACKETSTORM",
"id": "163489"
},
{
"db": "PACKETSTORM",
"id": "165294"
},
{
"db": "PACKETSTORM",
"id": "164279"
}
],
"trust": 0.6
},
"cve": "CVE-2021-3536",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "Single",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 3.5,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2021-3536",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Low",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 6.8,
"id": "CNVD-2021-37277",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "LOW",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.8,
"baseSeverity": "Medium",
"confidentialityImpact": "Low",
"exploitabilityScore": null,
"id": "CVE-2021-3536",
"impactScore": null,
"integrityImpact": "Low",
"privilegesRequired": "High",
"scope": "Changed",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2021-3536",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2021-37277",
"trust": 0.6,
"value": "LOW"
},
{
"author": "CNNVD",
"id": "CNNVD-202105-1302",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2021-3536",
"trust": 0.1,
"value": "LOW"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-37277"
},
{
"db": "VULMON",
"id": "CVE-2021-3536"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007113"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1302"
},
{
"db": "NVD",
"id": "CVE-2021-3536"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. Wildfly Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. Red Hat Wildfly is a lightweight open source application server based on JavaEE from Red Hat. \n\r\n\r\nRed Hat Wildfly versions prior to 23.0.2 have cross-site scripting vulnerabilities. An attacker can exploit this vulnerability by adding a payload in the name field to cause cross-site scripting. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\nThe JBoss server process must be restarted for the update to take effect. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: Red Hat JBoss Enterprise Application Platform 7.3.8 on RHEL 7 security update\nAdvisory ID: RHSA-2021:2693-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2021:2693\nIssue date: 2021-07-13\nCVE Names: CVE-2021-3536 CVE-2021-21409 \n=====================================================================\n\n1. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. See the Red Hat JBoss Enterprise\nApplication Platform 7.3.8 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* wildfly: XSS via admin console when creating roles in domain mode\n(CVE-2021-3536)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nBefore applying this update, back up your existing Red Hat JBoss Enterprise\nApplication Platform installation and deployed applications. \n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-20264 - [GSS](7.3.z) ISPN-12787 - Non Transactional Cache needs to be invalidated after commit on JPQL update/delete operation\nJBEAP-20503 - [GSS](7.3.z) WFCORE-5185 - Update ProviderDefinition to use optimised service loading API\nJBEAP-20623 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.20.Final-redhat-00001 to 5.3.20.SP1-redhat-00001\nJBEAP-21179 - Tracker bug for the EAP 7.3.8 release for RHEL-7\nJBEAP-21406 - [GSS](7.3.z) Upgrade Ironjacamar from 1.4.30.Final-redhat-00001 to 1.4.33.Final-redhat-00001\nJBEAP-21421 - (7.3.z) Upgrade Infinispan from 9.4.22.Final-redhat-00001 to 9.4.23.Final-redhat-00001\nJBEAP-21434 - (7.3.z) Upgrade wildfly-http-client from 1.0.26.Final-redhat-00001 to 1.0.28.Final-redhat-00001\nJBEAP-21435 - (7.3.z) Upgrade Elytron from 1.10.12.Final-redhat-00001 to 1.10.13.Final-redhat-00001\nJBEAP-21437 - (7.3.z) Upgrade netty from 4.1.60.Final to 4.1.63\nJBEAP-21441 - (7.3.z) Upgrade Undertow from 2.0.35.SP1-redhat-00001 to 2.0.38.SP1-redhat-00001\nJBEAP-21443 - (7.3.z) Upgrade jberet from 1.3.7.Final-redhat-00001 to 1.3.8.Final-redhat-00001\nJBEAP-21444 - (7.3.z) Upgrade wf-core from 10.1.20.Final-redhat-00001 to 10.1.21.Final-redhat-00001\nJBEAP-21567 - [GSS](7.3.z) Upgrade HAL from 3.2.14.Final-redhat-00001 to 3.2.15.Final-redhat-00001\nJBEAP-21582 - (7.3.z) Upgrade remoting from 5.0.20.SP1-redhat-00001 to 5.0.23.Final-redhat-00001\nJBEAP-21739 - (7.3.z) Upgrade elytron-web from 1.6.2.Final-redhat-00001 to 1.6.3.Final-redhat-00001\nJBEAP-21977 - [SET](7.3.z) Update product CP branch github template \n\n7. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-3536\nhttps://access.redhat.com/security/cve/CVE-2021-21409\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/\n\n9. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYO2On9zjgjWX9erEAQhKOQ//afEATx0pRuRfFiXicDmjCwDz8CcXrDwf\n8fgmVfpCRsDORqZJKVcQGKlN2aBagbnLfkLK2U5zbqYTT4iJBQgQmUuVWF7n6Trx\nTGyiBrIlCiE6Horext2mmtnb96TRR0b43BGU2BBtEPcq/puwYbvJYiwvPfCx3+nF\noXm82ACKfqhP+2ErJC23/qBhN4WtL/bF5Md20nhHC2gXZka5YV2VM7/j+wzltnaH\nt5gtESPQ074POF7jUvinbdrSDzbz+Q5FFaOVEZrpdpxVFTX/zpJxaPQnflkrArk0\nP5hqKiUg4lhA/98pFdCOL4yFUAZ+dIpBaN3sMhd8Um1ovnegMb0sV4S0XPaJxUWg\nBuMEO/f3H9T/YNX3RXNjA+iNY7W6CkGpfFjoMaDrd4ZKyR2HStMyqXBHylBNdyWS\nIeMbcJnYAG+L1agV/dkbaqJFxa4dHIefKTRnxxM6fpHPp4JbDx62p4/qGLU39JwR\nWQwwo6bQWefkytn/+tBAvjZHs59dvGGa9BSMukPgOs3pYFbLHNnRPBczTgRNP71h\ndo3Kyi0BMEuG1P+GkJpAqLJBS4pxZNmZeRvEMzTEepn+iL9pplfq2lffesH4JZ4Y\ndG+0Ne+d1g3nM4QWdu/s64hfBt9cuYBXsnnpuG/Yt5yLYSrqfTcLpOQGfD8V6qwx\notJ1DTehKNw=\n=tObI\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. The purpose of this text-only errata is to inform you about the\nsecurity issues fixed in this release. \n\nInstallation instructions are available from the Fuse 7.10.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation\n1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates\n1944888 - CVE-2021-21409 netty: Request smuggling via content-length header\n1948001 - CVE-2021-3536 wildfly: XSS via admin console when creating roles in domain mode\n1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6\n1965497 - CVE-2021-28170 jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate\n1970930 - CVE-2021-3597 undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS\n1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression\n1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer\n1991299 - CVE-2021-3690 undertow: buffer leak on incoming websocket PONG message may lead to DoS\n\n5",
"sources": [
{
"db": "NVD",
"id": "CVE-2021-3536"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007113"
},
{
"db": "CNVD",
"id": "CNVD-2021-37277"
},
{
"db": "VULMON",
"id": "CVE-2021-3536"
},
{
"db": "PACKETSTORM",
"id": "163480"
},
{
"db": "PACKETSTORM",
"id": "163483"
},
{
"db": "PACKETSTORM",
"id": "163485"
},
{
"db": "PACKETSTORM",
"id": "163489"
},
{
"db": "PACKETSTORM",
"id": "165294"
},
{
"db": "PACKETSTORM",
"id": "164279"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2021-3536",
"trust": 4.5
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007113",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "163489",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "164279",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2021-37277",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2363",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2416",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.3208",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.4253",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2572",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "163713",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "163517",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021071513",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1302",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2021-3536",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "163480",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "163483",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "163485",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "165294",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-37277"
},
{
"db": "VULMON",
"id": "CVE-2021-3536"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007113"
},
{
"db": "PACKETSTORM",
"id": "163480"
},
{
"db": "PACKETSTORM",
"id": "163483"
},
{
"db": "PACKETSTORM",
"id": "163485"
},
{
"db": "PACKETSTORM",
"id": "163489"
},
{
"db": "PACKETSTORM",
"id": "165294"
},
{
"db": "PACKETSTORM",
"id": "164279"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1302"
},
{
"db": "NVD",
"id": "CVE-2021-3536"
}
]
},
"id": "VAR-202105-1311",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-37277"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-37277"
}
]
},
"last_update_date": "2024-07-23T21:35:12.003000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Bug\u00a01948001",
"trust": 0.8,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"title": "Patch for Red Hat Wildfly cross-site scripting vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/268076"
},
{
"title": "Red Hat Wildfly Fixes for cross-site scripting vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=152209"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-37277"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007113"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1302"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.0
},
{
"problemtype": "Cross-site scripting (CWE-79) [NVD Evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2021-007113"
},
{
"db": "NVD",
"id": "CVE-2021-3536"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.9,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3536"
},
{
"trust": 1.7,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948001"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2021-3536"
},
{
"trust": 0.6,
"url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.6,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2021-21409"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2363"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2572"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/164279/red-hat-security-advisory-2021-3660-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.4253"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021071513"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163489/red-hat-security-advisory-2021-2694-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2416"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.3208"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/wildfly-cross-site-scripting-via-domain-mode-role-creation-35503"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163517/red-hat-security-advisory-2021-2755-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163713/red-hat-security-advisory-2021-2965-01.html"
},
{
"trust": 0.5,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-21409"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3690"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-28170"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-3597"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-21295"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-21295"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2021-29425"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/79.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform\u0026downloadtype=securitypatches\u0026version=7.3"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2696"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2693"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2692"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:2694"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-37714"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/vulnerabilities/rhsb-2021-009"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-35510"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21341"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-21342"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-21290"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-28169"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-17527"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-17521"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3629"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2875"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-28164"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21348"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-21344"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-12415"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11988"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9488"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-28491"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30129"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2875"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-30468"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21350"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21290"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21349"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12415"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-28163"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10744"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26217"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-26259"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21344"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-17527"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11987"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-20218"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27782"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.fuse\u0026version=7.10.0"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-37136"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-44228"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-34428"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2934"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-17521"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27223"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21346"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-22696"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-26259"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-15522"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11987"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21345"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-26217"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-15522"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27218"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27218"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10744"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-37137"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-35510"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2934"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21351"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13943"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13943"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21347"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13949"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.10/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-21341"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9488"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21342"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-28491"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-23926"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-27223"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-27782"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:5134"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-27568"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11988"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13949"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-21343"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-21343"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-20218"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-22118"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2021:3660"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3644"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3644"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3597"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=securitypatches\u0026product=appplatform\u0026version=7.4"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-29425"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13936"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3690"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13936"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2021-3642"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-3642"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2021-28170"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-37277"
},
{
"db": "VULMON",
"id": "CVE-2021-3536"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007113"
},
{
"db": "PACKETSTORM",
"id": "163480"
},
{
"db": "PACKETSTORM",
"id": "163483"
},
{
"db": "PACKETSTORM",
"id": "163485"
},
{
"db": "PACKETSTORM",
"id": "163489"
},
{
"db": "PACKETSTORM",
"id": "165294"
},
{
"db": "PACKETSTORM",
"id": "164279"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1302"
},
{
"db": "NVD",
"id": "CVE-2021-3536"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2021-37277"
},
{
"db": "VULMON",
"id": "CVE-2021-3536"
},
{
"db": "JVNDB",
"id": "JVNDB-2021-007113"
},
{
"db": "PACKETSTORM",
"id": "163480"
},
{
"db": "PACKETSTORM",
"id": "163483"
},
{
"db": "PACKETSTORM",
"id": "163485"
},
{
"db": "PACKETSTORM",
"id": "163489"
},
{
"db": "PACKETSTORM",
"id": "165294"
},
{
"db": "PACKETSTORM",
"id": "164279"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1302"
},
{
"db": "NVD",
"id": "CVE-2021-3536"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-05-27T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-37277"
},
{
"date": "2021-05-20T00:00:00",
"db": "VULMON",
"id": "CVE-2021-3536"
},
{
"date": "2022-02-03T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2021-007113"
},
{
"date": "2021-07-13T15:14:52",
"db": "PACKETSTORM",
"id": "163480"
},
{
"date": "2021-07-13T15:19:05",
"db": "PACKETSTORM",
"id": "163483"
},
{
"date": "2021-07-13T15:26:05",
"db": "PACKETSTORM",
"id": "163485"
},
{
"date": "2021-07-13T15:38:58",
"db": "PACKETSTORM",
"id": "163489"
},
{
"date": "2021-12-15T15:25:47",
"db": "PACKETSTORM",
"id": "165294"
},
{
"date": "2021-09-24T15:46:14",
"db": "PACKETSTORM",
"id": "164279"
},
{
"date": "2021-05-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-1302"
},
{
"date": "2021-05-20T13:15:07.840000",
"db": "NVD",
"id": "CVE-2021-3536"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2021-05-27T00:00:00",
"db": "CNVD",
"id": "CNVD-2021-37277"
},
{
"date": "2021-05-26T00:00:00",
"db": "VULMON",
"id": "CVE-2021-3536"
},
{
"date": "2022-02-03T05:20:00",
"db": "JVNDB",
"id": "JVNDB-2021-007113"
},
{
"date": "2021-12-16T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202105-1302"
},
{
"date": "2021-05-26T15:02:54.977000",
"db": "NVD",
"id": "CVE-2021-3536"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202105-1302"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat Wildfly cross-site scripting vulnerability",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2021-37277"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1302"
}
],
"trust": 1.2
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "163480"
},
{
"db": "PACKETSTORM",
"id": "163483"
},
{
"db": "PACKETSTORM",
"id": "163485"
},
{
"db": "PACKETSTORM",
"id": "163489"
},
{
"db": "CNNVD",
"id": "CNNVD-202105-1302"
}
],
"trust": 1.0
}
}
var-201905-0080
Vulnerability from variot
A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root. wildfly Contains a race condition vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. RedHatWildfly is a JavaEE-based lightweight open source application server from RedHat. A race condition issue vulnerability exists in RedHatWildfly16.0.0.Final and prior versions. The vulnerability stems from the improper handling of concurrent access when the network system or product is running and concurrent code needs to access shared resources mutually exclusive. Redhat Wildfly is prone to a local denial of service vulnerability. An attacker can leverage this issue to cause a denial of service condition. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Installation instructions are available from the Fuse 7.4.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/
The References section of this erratum contains a download link (you must log in to download the update).
The JBoss server process must be restarted for the update to take effect. Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1628702 - CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver 1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library 1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis 1682108 - CVE-2019-3894 wildfly: wrong SecurityIdentity for EE concurrency threads that are reused
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-14861 - GSS Upgrade JBeret from 1.3.1.Final to 1.3.2.Final JBEAP-15392 - (7.2.z) Upgrade Apache CXF from 3.2.5 to 3.2.7 JBEAP-15477 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-4 JBEAP-15478 - (7.2.z) Upgrade PicketLink from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-4 JBEAP-15568 - GSS Upgrade ironjacamar from 1.4.11 Final to 1.4.15 Final JBEAP-15617 - (7.2.z) Upgrade WildFly Core from 6.0.11 to 6.0.12 JBEAP-15622 - GSS Upgrade jboss-el-api_spec from 1.0.12.Final to 1.0.13.Final JBEAP-15748 - GSS Upgrade jastow from 2.0.6.Final-redhat-00001 to 2.0.7.Final-redhat-00001 JBEAP-15805 - (7.2.z) Upgrade Hibernate ORM from 5.3.7 to 5.3.8 JBEAP-15851 - [ENG] (7.2.z) Upgrade Infinispan from 9.3.3.Final to 9.3.6.Final JBEAP-15869 - (7.2.z) Upgrade Undertow from 2.0.15 to 2.0.19 JBEAP-15876 - (7.2.z) Upgrade Artemis from 2.6.3.redhat-00014 to 2.6.3.redhat-00020 JBEAP-16025 - Upgrade yasson from 1.0.1 to 1.0.2 JBEAP-16037 - GSS Upgrade Narayana from 5.9.0.Final to 5.9.1.Final JBEAP-16086 - (7.2.z) Upgrade WildFly HTTP client from 1.0.12.Final to 1.0.13.Final JBEAP-16090 - GSS Upgrade jboss-ejb-client from 4.0.12 to 4.0.15 JBEAP-16091 - GSS Upgrade wildfly-transaction-client from 1.1.2.Final-redhat-1 to 1.1.3.Final-redhat-1 JBEAP-16112 - (7.2.z) Upgrade FasterXML Jackson from 2.9.5.redhat-2 to 2.9.8 JBEAP-16122 - [Runtimes] (7.2.z) Upgrade istack from 3.0.5.redhat-1 to 3.0.7.redhat-00001 JBEAP-16123 - [Runtimes] (7.2.x) Upgrade commons-digester from 1.8 to 1.8.1.redhat-4 JBEAP-16124 - [Runtimes] (7.2.x) Upgrade hornetq from 2.4.7.redhat-1 to 2.4.7.redhat-2 JBEAP-16125 - [Runtimes] (7.2.x) Upgrade org.jboss.genericjms from 2.0.1.Final-redhat-1 to 2.0.1.Final-redhat-00002 JBEAP-16137 - (7.2.z) (WFCORE) Upgrade FasterXML Jackson from 2.9.2 to 2.9.8 JBEAP-16146 - (7.2.z) Upgrade Elytron from 1.6.1.Final to 1.6.2.Final JBEAP-16147 - (7.2.z) Upgrade Elytron-Tool from 1.4.0 to 1.4.1.Final JBEAP-16234 - Tracker bug for the EAP 7.2.1 release for RHEL-7 JBEAP-16259 - (7.2.z) Upgrade legacy EJB Client from 3.0.2.Final-redhat-1 to 3.0.3.Final-redhat-1 JBEAP-16276 - (7.2.z) Upgrade elytron-web from 1.2.3.Final to 1.2.4.Final JBEAP-16321 - (7.2.z) HHH-13099 HHH-13283 Upgrade ByteBuddy from 1.8.17 to 1.9.5 JBEAP-16347 - (7.2.z) Upgrade jboss-logmanager from 2.1.5.Final-redhat-00001 to 2.1.7.Final JBEAP-16356 - (7.2.z) Upgrade RESTEasy from 3.6.1.SP2 to 3.6.1.SP3 JBEAP-16367 - (7.2.z) Upgrade commons-lang3 from 3.6.0-redhat-1 to 3.8-redhat-00001 JBEAP-16368 - (7.2.z) Upgrade cxf-xjc from 3.2.2.redhat-00001 to 3.2.3.redhat-00002 JBEAP-16369 - (7.2.z) Upgrade httpasyncclient from 4.1.3.redhat-2 to 4.1.4.redhat-00001 JBEAP-16381 - (7.2.z) Upgrade jboss-remoting-jmx from 3.0.0.Final to 3.0.1.Final JBEAP-16418 - (7.2.z) Upgrade Hibernate ORM from 5.3.8 to 5.3.9 JBEAP-9657 - (7.2.z) Upgrade jboss-negotiation from 3.0.4 to 3.0.5.Final-redhat-00001
-
Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
-
Summary:
This is a security update for JBoss EAP Continuous Delivery 18.0. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Data Grid 7.3.3 security update Advisory ID: RHSA-2020:0727-01 Product: Red Hat JBoss Data Grid Advisory URL: https://access.redhat.com/errata/RHSA-2020:0727 Issue date: 2020-03-05 CVE Names: CVE-2018-14335 CVE-2019-3805 CVE-2019-3888 CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 CVE-2019-9518 CVE-2019-10173 CVE-2019-10174 CVE-2019-10184 CVE-2019-10212 CVE-2019-14379 ==================================================================== 1. Summary:
An update for Red Hat Data Grid is now available.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
Red Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the Infinispan project.
This release of Red Hat Data Grid 7.3.3 serves as a replacement for Red Hat Data Grid 7.3.2 and includes bug fixes and enhancements, which are described in the Release Notes, linked to in the References section of this erratum.
Security Fix(es):
-
HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)
-
HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)
-
HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)
-
HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)
-
xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285) (CVE-2019-10173)
-
infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174)
-
jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)
-
h2: Information Exposure due to insecure handling of permissions in the backup (CVE-2018-14335)
-
wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)
-
undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)
-
undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files (CVE-2019-10212)
-
undertow: Information leak in requests for directories without trailing slashes (CVE-2019-10184)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
To install this update, do the following:
- Download the Data Grid 7.3.3 server patch from the customer portal.
- Back up your existing Data Grid installation. You should back up databases, configuration files, and so on.
- Install the Data Grid 7.3.3 server patch. Refer to the 7.3 Release Notes for patching instructions.
-
Restart Data Grid to ensure the changes take effect.
-
Bugs fixed (https://bugzilla.redhat.com/):
1610877 - CVE-2018-14335 h2: Information Exposure due to insecure handling of permissions in the backup 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed 1703469 - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods 1713068 - CVE-2019-10184 undertow: Information leak in requests for directories without trailing slashes 1722971 - CVE-2019-10173 xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285) 1731984 - CVE-2019-10212 undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth 1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth 1735749 - CVE-2019-9518 HTTP/2: flood using empty frames results in excessive resource consumption 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution
- References:
https://access.redhat.com/security/cve/CVE-2018-14335 https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/cve/CVE-2019-3888 https://access.redhat.com/security/cve/CVE-2019-9512 https://access.redhat.com/security/cve/CVE-2019-9514 https://access.redhat.com/security/cve/CVE-2019-9515 https://access.redhat.com/security/cve/CVE-2019-9518 https://access.redhat.com/security/cve/CVE-2019-10173 https://access.redhat.com/security/cve/CVE-2019-10174 https://access.redhat.com/security/cve/CVE-2019-10184 https://access.redhat.com/security/cve/CVE-2019-10212 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product\xdata.grid&downloadType=patches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXmD2b9zjgjWX9erEAQhDqA/9G7uM0HlTt4M6Z9Zc23FSbbr+jj1k/o69 a5WWa+xS3Ko4IvlN5rt+wOHSFet+NTMAerNHzAsB2+viX1hr14Hwf3QnIom/yxbJ PaC1djdaZfcvSIODhbq/C5Ilae09x3rW1voQ39i1Q2bsEqVePLZdC75KjvNLsfqe QJCMvcO3jkccxn7k45baCfTGsFyOhHb17Y9DRarWsC7jO9kEjMxrUPN6qKP6BC9t RMuqDxo1aJnatMeCWb7NA0UpOz0+lFpuR+ZZYPV444nGmfTKrbc9c5TuQUCSP+LD sG1+fh2xMztuGxNiJfgSP3iqHmgXD9TBxh1kxn1kt59llCO5+Uqu/O5OsqeQQ0Ym I+a2VAzn2N776sTbWIZ3231IJex68oG+4/fIo6/FVVJpmtDIDgumgErTPD0kkNuT yyyn3u50RZohzSxEz37QdiQDJbiJcJhmtFR5fLRAbFa8Ys2Gw81PGFba95/kVooX K5uSukzOBm8nhxfBvwZDCY/gWuJwVLSAOJb4VoPZiR2WbZsx+9r+spQv6K9wYr5v s//DY88rsUSaMH4kGco//6Dqis8IwOISr/ZR+Edlnrz1rHv9Z4XerMw56VUKIHva mS7rdNmbLqHN0XfZImxewLca2i7sWIlxWrgKF2f4zEO3ermivdis7RdssZkJ9Zv9 S7B2VoNOQj4=zoia -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201905-0080",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "jboss enterprise application platform",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0.0"
},
{
"model": "jboss enterprise application platform",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "6.0.0"
},
{
"model": "wildfly",
"scope": "lte",
"trust": 1.0,
"vendor": "redhat",
"version": "16.0.0"
},
{
"model": "jboss enterprise application platform",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"model": "wildfly",
"scope": "lte",
"trust": 0.8,
"vendor": "red hat",
"version": "16.0.0"
},
{
"model": "hat wildfly \u003c=16.0.0.final",
"scope": null,
"trust": 0.6,
"vendor": "red",
"version": null
},
{
"model": "wildfly",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "0"
},
{
"model": "jboss eap",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "70"
},
{
"model": "jboss eap",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "6"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14823"
},
{
"db": "BID",
"id": "108115"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003857"
},
{
"db": "NVD",
"id": "CVE-2019-3805"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:wildfly:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "16.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-3805"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "153980"
},
{
"db": "PACKETSTORM",
"id": "152764"
},
{
"db": "PACKETSTORM",
"id": "152765"
},
{
"db": "PACKETSTORM",
"id": "152766"
},
{
"db": "PACKETSTORM",
"id": "158095"
},
{
"db": "PACKETSTORM",
"id": "156628"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-107"
}
],
"trust": 1.2
},
"cve": "CVE-2019-3805",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "COMPLETE",
"baseScore": 4.7,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.4,
"impactScore": 6.9,
"integrityImpact": "NONE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Local",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "Complete",
"baseScore": 4.7,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2019-3805",
"impactScore": null,
"integrityImpact": "None",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.9,
"userInteractionRequired": null,
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "LOCAL",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "COMPLETE",
"baseScore": 4.7,
"confidentialityImpact": "NONE",
"exploitabilityScore": 3.4,
"id": "CNVD-2019-14823",
"impactScore": 6.9,
"integrityImpact": "NONE",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:C",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.0,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "secalert@redhat.com",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
{
"attackComplexity": "High",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 4.7,
"baseSeverity": "Medium",
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2019-3805",
"impactScore": null,
"integrityImpact": "None",
"privilegesRequired": "Low",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-3805",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "secalert@redhat.com",
"id": "CVE-2019-3805",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "CNVD",
"id": "CNVD-2019-14823",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201905-107",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULMON",
"id": "CVE-2019-3805",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14823"
},
{
"db": "VULMON",
"id": "CVE-2019-3805"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003857"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-107"
},
{
"db": "NVD",
"id": "CVE-2019-3805"
},
{
"db": "NVD",
"id": "CVE-2019-3805"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root. wildfly Contains a race condition vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. RedHatWildfly is a JavaEE-based lightweight open source application server from RedHat. A race condition issue vulnerability exists in RedHatWildfly16.0.0.Final and prior versions. The vulnerability stems from the improper handling of concurrent access when the network system or product is running and concurrent code needs to access shared resources mutually exclusive. Redhat Wildfly is prone to a local denial of service vulnerability. \nAn attacker can leverage this issue to cause a denial of service condition. \nThe purpose of this text-only errata is to inform you about the security\nissues fixed in this release. \n\nInstallation instructions are available from the Fuse 7.4.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/\n\n4. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\nThe JBoss server process must be restarted for the update to take effect. Solution:\n\nBefore applying this update, back up your existing Red Hat JBoss Enterprise\nApplication Platform installation and deployed applications. \n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1628702 - CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer\n1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users\n1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes\n1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class\n1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver\n1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library\n1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis\n1682108 - CVE-2019-3894 wildfly: wrong SecurityIdentity for EE concurrency threads that are reused\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-14861 - [GSS](7.2.z) Upgrade JBeret from 1.3.1.Final to 1.3.2.Final\nJBEAP-15392 - (7.2.z) Upgrade Apache CXF from 3.2.5 to 3.2.7\nJBEAP-15477 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-4\nJBEAP-15478 - (7.2.z) Upgrade PicketLink from 2.5.5.SP12-redhat-2 to 2.5.5.SP12-redhat-4\nJBEAP-15568 - [GSS](7.2.z) Upgrade ironjacamar from 1.4.11 Final to 1.4.15 Final\nJBEAP-15617 - (7.2.z) Upgrade WildFly Core from 6.0.11 to 6.0.12\nJBEAP-15622 - [GSS](7.2.z) Upgrade jboss-el-api_spec from 1.0.12.Final to 1.0.13.Final\nJBEAP-15748 - [GSS](7.2.z) Upgrade jastow from 2.0.6.Final-redhat-00001 to 2.0.7.Final-redhat-00001\nJBEAP-15805 - (7.2.z) Upgrade Hibernate ORM from 5.3.7 to 5.3.8\nJBEAP-15851 - [ENG] (7.2.z) Upgrade Infinispan from 9.3.3.Final to 9.3.6.Final\nJBEAP-15869 - (7.2.z) Upgrade Undertow from 2.0.15 to 2.0.19\nJBEAP-15876 - (7.2.z) Upgrade Artemis from 2.6.3.redhat-00014 to 2.6.3.redhat-00020\nJBEAP-16025 - Upgrade yasson from 1.0.1 to 1.0.2\nJBEAP-16037 - [GSS](7.2.z) Upgrade Narayana from 5.9.0.Final to 5.9.1.Final\nJBEAP-16086 - (7.2.z) Upgrade WildFly HTTP client from 1.0.12.Final to 1.0.13.Final\nJBEAP-16090 - [GSS](7.2.z) Upgrade jboss-ejb-client from 4.0.12 to 4.0.15\nJBEAP-16091 - [GSS](7.2.z) Upgrade wildfly-transaction-client from 1.1.2.Final-redhat-1 to 1.1.3.Final-redhat-1\nJBEAP-16112 - (7.2.z) Upgrade FasterXML Jackson from 2.9.5.redhat-2 to 2.9.8\nJBEAP-16122 - [Runtimes] (7.2.z) Upgrade istack from 3.0.5.redhat-1 to 3.0.7.redhat-00001\nJBEAP-16123 - [Runtimes] (7.2.x) Upgrade commons-digester from 1.8 to 1.8.1.redhat-4\nJBEAP-16124 - [Runtimes] (7.2.x) Upgrade hornetq from 2.4.7.redhat-1 to 2.4.7.redhat-2\nJBEAP-16125 - [Runtimes] (7.2.x) Upgrade org.jboss.genericjms from 2.0.1.Final-redhat-1 to 2.0.1.Final-redhat-00002\nJBEAP-16137 - (7.2.z) (WFCORE) Upgrade FasterXML Jackson from 2.9.2 to 2.9.8\nJBEAP-16146 - (7.2.z) Upgrade Elytron from 1.6.1.Final to 1.6.2.Final\nJBEAP-16147 - (7.2.z) Upgrade Elytron-Tool from 1.4.0 to 1.4.1.Final\nJBEAP-16234 - Tracker bug for the EAP 7.2.1 release for RHEL-7\nJBEAP-16259 - (7.2.z) Upgrade legacy EJB Client from 3.0.2.Final-redhat-1 to 3.0.3.Final-redhat-1\nJBEAP-16276 - (7.2.z) Upgrade elytron-web from 1.2.3.Final to 1.2.4.Final\nJBEAP-16321 - (7.2.z) HHH-13099 HHH-13283 Upgrade ByteBuddy from 1.8.17 to 1.9.5\nJBEAP-16347 - (7.2.z) Upgrade jboss-logmanager from 2.1.5.Final-redhat-00001 to 2.1.7.Final\nJBEAP-16356 - (7.2.z) Upgrade RESTEasy from 3.6.1.SP2 to 3.6.1.SP3\nJBEAP-16367 - (7.2.z) Upgrade commons-lang3 from 3.6.0-redhat-1 to 3.8-redhat-00001\nJBEAP-16368 - (7.2.z) Upgrade cxf-xjc from 3.2.2.redhat-00001 to 3.2.3.redhat-00002\nJBEAP-16369 - (7.2.z) Upgrade httpasyncclient from 4.1.3.redhat-2 to 4.1.4.redhat-00001\nJBEAP-16381 - (7.2.z) Upgrade jboss-remoting-jmx from 3.0.0.Final to 3.0.1.Final\nJBEAP-16418 - (7.2.z) Upgrade Hibernate ORM from 5.3.8 to 5.3.9\nJBEAP-9657 - (7.2.z) Upgrade jboss-negotiation from 3.0.4 to 3.0.5.Final-redhat-00001\n\n7. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. Summary:\n\nThis is a security update for JBoss EAP Continuous Delivery 18.0. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: Red Hat Data Grid 7.3.3 security update\nAdvisory ID: RHSA-2020:0727-01\nProduct: Red Hat JBoss Data Grid\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:0727\nIssue date: 2020-03-05\nCVE Names: CVE-2018-14335 CVE-2019-3805 CVE-2019-3888\n CVE-2019-9512 CVE-2019-9514 CVE-2019-9515\n CVE-2019-9518 CVE-2019-10173 CVE-2019-10174\n CVE-2019-10184 CVE-2019-10212 CVE-2019-14379\n====================================================================\n1. Summary:\n\nAn update for Red Hat Data Grid is now available. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat Data Grid is a distributed, in-memory, NoSQL datastore based on the\nInfinispan project. \n\nThis release of Red Hat Data Grid 7.3.3 serves as a replacement for Red Hat\nData Grid 7.3.2 and includes bug fixes and enhancements, which are\ndescribed in the Release Notes, linked to in the References section of this\nerratum. \n\nSecurity Fix(es):\n\n* HTTP/2: flood using PING frames results in unbounded memory growth\n(CVE-2019-9512)\n\n* HTTP/2: flood using HEADERS frames results in unbounded memory growth\n(CVE-2019-9514)\n\n* HTTP/2: flood using SETTINGS frames results in unbounded memory growth\n(CVE-2019-9515)\n\n* HTTP/2: flood using empty frames results in excessive resource\nconsumption (CVE-2019-9518)\n\n* xstream: remote code execution due to insecure XML deserialization\n(regression of CVE-2013-7285) (CVE-2019-10173)\n\n* infinispan: invokeAccessibly method from ReflectionUtil class allows to\ninvoke private methods (CVE-2019-10174)\n\n* jackson-databind: default typing mishandling leading to remote code\nexecution (CVE-2019-14379)\n\n* h2: Information Exposure due to insecure handling of permissions in the\nbackup (CVE-2018-14335)\n\n* wildfly: Race condition on PID file allows for termination of arbitrary\nprocesses by local users (CVE-2019-3805)\n\n* undertow: leak credentials to log files\nUndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)\n\n* undertow: DEBUG log for io.undertow.request.security if enabled leaks\ncredentials to log files (CVE-2019-10212)\n\n* undertow: Information leak in requests for directories without trailing\nslashes (CVE-2019-10184)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n3. Solution:\n\nTo install this update, do the following:\n\n1. Download the Data Grid 7.3.3 server patch from the customer portal. \n2. Back up your existing Data Grid installation. You should back up\ndatabases, configuration files, and so on. \n3. Install the Data Grid 7.3.3 server patch. Refer to the 7.3 Release Notes\nfor patching instructions. \n4. Restart Data Grid to ensure the changes take effect. \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1610877 - CVE-2018-14335 h2: Information Exposure due to insecure handling of permissions in the backup\n1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users\n1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed\n1703469 - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods\n1713068 - CVE-2019-10184 undertow: Information leak in requests for directories without trailing slashes\n1722971 - CVE-2019-10173 xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)\n1731984 - CVE-2019-10212 undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files\n1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth\n1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth\n1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth\n1735749 - CVE-2019-9518 HTTP/2: flood using empty frames results in excessive resource consumption\n1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-14335\nhttps://access.redhat.com/security/cve/CVE-2019-3805\nhttps://access.redhat.com/security/cve/CVE-2019-3888\nhttps://access.redhat.com/security/cve/CVE-2019-9512\nhttps://access.redhat.com/security/cve/CVE-2019-9514\nhttps://access.redhat.com/security/cve/CVE-2019-9515\nhttps://access.redhat.com/security/cve/CVE-2019-9518\nhttps://access.redhat.com/security/cve/CVE-2019-10173\nhttps://access.redhat.com/security/cve/CVE-2019-10174\nhttps://access.redhat.com/security/cve/CVE-2019-10184\nhttps://access.redhat.com/security/cve/CVE-2019-10212\nhttps://access.redhat.com/security/cve/CVE-2019-14379\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product\\xdata.grid\u0026downloadType=patches\u0026version=7.3\nhttps://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXmD2b9zjgjWX9erEAQhDqA/9G7uM0HlTt4M6Z9Zc23FSbbr+jj1k/o69\na5WWa+xS3Ko4IvlN5rt+wOHSFet+NTMAerNHzAsB2+viX1hr14Hwf3QnIom/yxbJ\nPaC1djdaZfcvSIODhbq/C5Ilae09x3rW1voQ39i1Q2bsEqVePLZdC75KjvNLsfqe\nQJCMvcO3jkccxn7k45baCfTGsFyOhHb17Y9DRarWsC7jO9kEjMxrUPN6qKP6BC9t\nRMuqDxo1aJnatMeCWb7NA0UpOz0+lFpuR+ZZYPV444nGmfTKrbc9c5TuQUCSP+LD\nsG1+fh2xMztuGxNiJfgSP3iqHmgXD9TBxh1kxn1kt59llCO5+Uqu/O5OsqeQQ0Ym\nI+a2VAzn2N776sTbWIZ3231IJex68oG+4/fIo6/FVVJpmtDIDgumgErTPD0kkNuT\nyyyn3u50RZohzSxEz37QdiQDJbiJcJhmtFR5fLRAbFa8Ys2Gw81PGFba95/kVooX\nK5uSukzOBm8nhxfBvwZDCY/gWuJwVLSAOJb4VoPZiR2WbZsx+9r+spQv6K9wYr5v\ns//DY88rsUSaMH4kGco//6Dqis8IwOISr/ZR+Edlnrz1rHv9Z4XerMw56VUKIHva\nmS7rdNmbLqHN0XfZImxewLca2i7sWIlxWrgKF2f4zEO3ermivdis7RdssZkJ9Zv9\nS7B2VoNOQj4=zoia\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-3805"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003857"
},
{
"db": "CNVD",
"id": "CNVD-2019-14823"
},
{
"db": "BID",
"id": "108115"
},
{
"db": "VULMON",
"id": "CVE-2019-3805"
},
{
"db": "PACKETSTORM",
"id": "153980"
},
{
"db": "PACKETSTORM",
"id": "152764"
},
{
"db": "PACKETSTORM",
"id": "152765"
},
{
"db": "PACKETSTORM",
"id": "152766"
},
{
"db": "PACKETSTORM",
"id": "158095"
},
{
"db": "PACKETSTORM",
"id": "156628"
}
],
"trust": 3.06
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-3805",
"trust": 4.0
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003857",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "152766",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "158095",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "156628",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2019-14823",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.1618",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2071",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2019.1638",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.0832",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "152779",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201905-107",
"trust": 0.6
},
{
"db": "BID",
"id": "108115",
"trust": 0.3
},
{
"db": "VULMON",
"id": "CVE-2019-3805",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "153980",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "152764",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "152765",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14823"
},
{
"db": "VULMON",
"id": "CVE-2019-3805"
},
{
"db": "BID",
"id": "108115"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003857"
},
{
"db": "PACKETSTORM",
"id": "153980"
},
{
"db": "PACKETSTORM",
"id": "152764"
},
{
"db": "PACKETSTORM",
"id": "152765"
},
{
"db": "PACKETSTORM",
"id": "152766"
},
{
"db": "PACKETSTORM",
"id": "158095"
},
{
"db": "PACKETSTORM",
"id": "156628"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-107"
},
{
"db": "NVD",
"id": "CVE-2019-3805"
}
]
},
"id": "VAR-201905-0080",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14823"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14823"
}
]
},
"last_update_date": "2024-07-23T19:54:24.312000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Bug 1660263",
"trust": 0.8,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-3805"
},
{
"title": "RHSA-2019:1106",
"trust": 0.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1106"
},
{
"title": "RHSA-2019:1107",
"trust": 0.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1107"
},
{
"title": "RHSA-2019:1108",
"trust": 0.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1108"
},
{
"title": "RHSA-2019:1140",
"trust": 0.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1140"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.1 on RHEL 7 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20191108 - security advisory"
},
{
"title": "Red Hat: Important: Red Hat Fuse 7.4.0 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20192413 - security advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.1 on RHEL 6 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20191107 - security advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.1 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20191106 - security advisory"
},
{
"title": "Red Hat: Important: EAP Continuous Delivery Technical Preview Release 18 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202565 - security advisory"
},
{
"title": "Red Hat: Important: Red Hat Single Sign-On 7.3.1 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20191140 - security advisory"
},
{
"title": "Red Hat: Important: Red Hat Data Grid 7.3.3 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20200727 - security advisory"
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2019-3805"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003857"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-269",
"trust": 1.0
},
{
"problemtype": "CWE-362",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-003857"
},
{
"db": "NVD",
"id": "CVE-2019-3805"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://access.redhat.com/errata/rhsa-2019:1106"
},
{
"trust": 2.4,
"url": "https://access.redhat.com/errata/rhsa-2019:2413"
},
{
"trust": 2.3,
"url": "https://access.redhat.com/errata/rhsa-2019:1140"
},
{
"trust": 2.0,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3805"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1108"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2019:1107"
},
{
"trust": 1.8,
"url": "https://access.redhat.com/errata/rhsa-2020:0727"
},
{
"trust": 1.7,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-3805"
},
{
"trust": 1.7,
"url": "https://security.netapp.com/advisory/ntap-20190517-0004/"
},
{
"trust": 0.9,
"url": "https://access.redhat.com/security/cve/cve-2019-3805"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-3805"
},
{
"trust": 0.6,
"url": "https://web.nvd.nist.gov//vuln/detail/cve-2019-3805"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.6,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.6,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2071/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/152779/red-hat-security-advisory-2019-1140-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158095/red-hat-security-advisory-2020-2565-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0832/"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/red-hat-jboss-enterprise-application-platform-wildfly-privilege-escalation-29227"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/152766/red-hat-security-advisory-2019-1107-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/80598"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/156628/red-hat-security-advisory-2020-0727-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/80514"
},
{
"trust": 0.3,
"url": "http://wildfly.org/"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1660263"
},
{
"trust": 0.3,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14642"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14720"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-12022"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-14720"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-12023"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-12023"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-14642"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-14721"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-12022"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11307"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14721"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2019-3894"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2018-11307"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3894"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9514"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9515"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-9512"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-9514"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-9515"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9512"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/269.html"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://tools.cisco.com/security/center/viewalert.x?alertid=60107"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1258"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.fuse\u0026version=7.4.0"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-1320"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-10899"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-10750"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-0192"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-8088"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-10899"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1320"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2016-10750"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.4/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-15758"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-8088"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0192"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-1258"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-15758"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform\u0026downloadtype=securitypatches\u0026version=7.2"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-9511"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11620"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9511"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-14838"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11619"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2565"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11619"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11620"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14838"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19343"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-19343"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-14335"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10174"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14379"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10184"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10173"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product\\xdata.grid\u0026downloadtype=patches\u0026version=7.3"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-3888"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10173"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-9518"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3888"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10212"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10212"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_data_grid/7.3/html-single/red_hat_data_grid_7.3_release_notes/index"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10184"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10174"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9518"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14335"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-14379"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2019-14823"
},
{
"db": "VULMON",
"id": "CVE-2019-3805"
},
{
"db": "BID",
"id": "108115"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003857"
},
{
"db": "PACKETSTORM",
"id": "153980"
},
{
"db": "PACKETSTORM",
"id": "152764"
},
{
"db": "PACKETSTORM",
"id": "152765"
},
{
"db": "PACKETSTORM",
"id": "152766"
},
{
"db": "PACKETSTORM",
"id": "158095"
},
{
"db": "PACKETSTORM",
"id": "156628"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-107"
},
{
"db": "NVD",
"id": "CVE-2019-3805"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2019-14823"
},
{
"db": "VULMON",
"id": "CVE-2019-3805"
},
{
"db": "BID",
"id": "108115"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-003857"
},
{
"db": "PACKETSTORM",
"id": "153980"
},
{
"db": "PACKETSTORM",
"id": "152764"
},
{
"db": "PACKETSTORM",
"id": "152765"
},
{
"db": "PACKETSTORM",
"id": "152766"
},
{
"db": "PACKETSTORM",
"id": "158095"
},
{
"db": "PACKETSTORM",
"id": "156628"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-107"
},
{
"db": "NVD",
"id": "CVE-2019-3805"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-05-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-14823"
},
{
"date": "2019-05-03T00:00:00",
"db": "VULMON",
"id": "CVE-2019-3805"
},
{
"date": "2018-12-18T00:00:00",
"db": "BID",
"id": "108115"
},
{
"date": "2019-05-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003857"
},
{
"date": "2019-08-08T14:34:03",
"db": "PACKETSTORM",
"id": "153980"
},
{
"date": "2019-05-08T17:45:48",
"db": "PACKETSTORM",
"id": "152764"
},
{
"date": "2019-05-08T17:45:55",
"db": "PACKETSTORM",
"id": "152765"
},
{
"date": "2019-05-08T17:46:03",
"db": "PACKETSTORM",
"id": "152766"
},
{
"date": "2020-06-16T00:54:44",
"db": "PACKETSTORM",
"id": "158095"
},
{
"date": "2020-03-05T14:41:17",
"db": "PACKETSTORM",
"id": "156628"
},
{
"date": "2019-05-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201905-107"
},
{
"date": "2019-05-03T20:29:01.263000",
"db": "NVD",
"id": "CVE-2019-3805"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2019-05-21T00:00:00",
"db": "CNVD",
"id": "CNVD-2019-14823"
},
{
"date": "2020-10-16T00:00:00",
"db": "VULMON",
"id": "CVE-2019-3805"
},
{
"date": "2018-12-18T00:00:00",
"db": "BID",
"id": "108115"
},
{
"date": "2019-05-23T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-003857"
},
{
"date": "2020-10-19T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201905-107"
},
{
"date": "2020-10-16T16:04:34.210000",
"db": "NVD",
"id": "CVE-2019-3805"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "BID",
"id": "108115"
},
{
"db": "CNNVD",
"id": "CNNVD-201905-107"
}
],
"trust": 0.9
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "wildfly Race condition vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-003857"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "competition condition problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201905-107"
}
],
"trust": 0.6
}
}
var-202003-1771
Vulnerability from variot
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. Wildfly There is a cryptographic strength vulnerability in.Information may be obtained and tampered with. Red Hat Wildfly is a lightweight open source application server based on JavaEE from American Red Hat (Red Hat) company. The vulnerability stems from the program's failure to implement the'enabled-protocols' setting configured by Wildfly. Attackers can use this vulnerability to obtain information spread on the network. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.1 Security update Advisory ID: RHSA-2020:2512-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2512 Issue date: 2020-06-10 CVE Names: CVE-2018-14371 CVE-2019-0205 CVE-2019-0210 CVE-2019-10172 CVE-2019-12423 CVE-2019-14887 CVE-2019-17573 CVE-2020-1695 CVE-2020-1729 CVE-2020-1745 CVE-2020-1757 CVE-2020-6950 CVE-2020-7226 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10688 CVE-2020-10719 ==================================================================== 1. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. See the Red Hat JBoss Enterprise Application Platform 7.3.1 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
cxf: reflected XSS in the services listing page (CVE-2019-17573)
-
cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)
-
jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)
-
undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757)
-
jackson-databind: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)
-
jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)
-
resteasy-jaxrs: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695)
-
cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)
-
smallrye-config: SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader (CVE-2020-1729)
-
resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688)
-
jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)
-
undertow: invalid HTTP request with large chunk size (CVE-2020-10719)
-
jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)
-
jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)
-
jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)
-
undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)
-
libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)
-
libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
-
wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)
-
jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)
-
jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter (CVE-2018-14371)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.
- Solution:
Before applying this update, ensure all previously released errata relevant to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1607709 - CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter 1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720 1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class 1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId 1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page 1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation 1802444 - CVE-2020-1729 SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader 1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability 1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack 1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking 1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config 1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap 1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core 1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-16114 - (7.3.z) Upgrade jboss-vfs to 3.2.15.Final JBEAP-18060 - GSS Upgrade weld from 3.1.2.Final-redhat-00001 to 3.1.4.Final-redhat-00001 JBEAP-18163 - (7.3.z) Upgrade HAL from 3.2.3.Final-redhat-00001 to 3.2.8.Final-redhat-00001 JBEAP-18221 - (7.3.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00010 to 2.5.5.SP12-redhat-00012 JBEAP-18240 - (7.3.z) Update the Chinese translations in WildFly Core JBEAP-18241 - (7.3.z) Update the Japanese translations in WildFly Core JBEAP-18273 - (7.3.z) Upgrade IronJacamar from 1.4.19.Final to 1.4.20.Final JBEAP-18277 - GSS Upgrade JBoss JSF API from 3.0.0.SP01-redhat-00001 to 3.0.0.SP02-redhat-00001 JBEAP-18288 - GSS Upgrade FasterXML from 2.10.0 to 2.10.3 JBEAP-18294 - (7.3.z) Upgrade JAXB from 2.3.1 to 2.3.3-b02 and com.sun.istack from 3.0.7 to 3.0.10 JBEAP-18302 - GSS Upgrade wildfly-http-client from 1.0.18 to 1.0.20 JBEAP-18315 - GSS Upgrade Artemis from 2.9.0.redhat-00005 to 2.9.0.redhat-00010 JBEAP-18346 - GSS Upgrade jakarta.el from 3.0.2.redhat-00001 to 3.0.3.redhat-00002 JBEAP-18352 - GSS Upgrade JBoss Remoting from 5.0.16.Final-redhat-00001 to 5.0.18.Final-redhat-00001 JBEAP-18361 - GSS Upgrade Woodstox from 5.0.3 to 6.0.3 JBEAP-18367 - GSS Upgrade Hibernate ORM from 5.3.15 to 5.3.16 JBEAP-18393 - GSS Update $JBOSS_HOME/docs/schema to show https schema URL instead of http JBEAP-18398 - Tracker bug for the EAP 7.3.1 release for RHEL-7 JBEAP-18409 - GSS Upgrade Infinispan from 9.4.16.Final-redhat-00002 to 9.4.18.Final-redhat-00001 JBEAP-18527 - (7.3.z) Upgrade WildFly Naming Client from 1.0.10.Final to 1.0.12.Final JBEAP-18528 - (7.3.z) Upgrade jboss-ejb-client from 4.0.27.Final to 4.0.31.Final-redhat-00001 JBEAP-18596 - GSS Upgrade JBoss Modules from 1.9.1 to 1.10.0 JBEAP-18598 - GSS Upgrade Bouncycastle from 1.60.0-redhat-00001 to 1.60.0-redhat-00002 JBEAP-18640 - [Runtimes] (7.3.x) Upgrade slf4j-jboss-logmanager from 1.0.3.GA.redhat-2 to 1.0.4.GA.redhat-00001 JBEAP-18653 - (7.3.z) Upgrade Apache CXF from 3.3.4.redhat-00001 to 3.3.5.redhat-00001 JBEAP-18706 - (7.3.z) Upgrade elytron-web from 1.6.0.Final to 1.6.1.Final JBEAP-18770 - Upgrade Jandex to 2.1.2.Final-redhat-00001 JBEAP-18775 - (7.3.z) Upgrade WildFly Core to 10.1.4.Final-redhat-00001 JBEAP-18788 - (7.3.x) Upgrade wss4j from 2.2.4.redhat-00001 to 2.2.5.redhat-00001 JBEAP-18790 - (7.3.z) Upgrade cryptacular from 1.2.0.redhat-1 to 1.2.4.redhat-00001 JBEAP-18818 - (7.3.z) Upgrade PicketBox from 5.0.3.Final-redhat-00005 to 5.0.3.Final-redhat-00006 JBEAP-18836 - GSS Upgrade Remoting JMX from 3.0.3 to 3.0.4 JBEAP-18850 - (7.3.z) Upgrade smallrye-config from 1.4.1 to 1.6.2 JBEAP-18870 - Upgrade WildFly Common to 1.5.2.Final.redhat-00002 JBEAP-18875 - Upgrade MicroProfile Metrics API to 2.3 and smallrye-metrics to 2.4.0 JBEAP-18876 - Upgrade Smallrye Health to 2.2.0 and MP Health API to 2.2 JBEAP-18877 - (7.3.z) Upgrade Jaeger client to 0.34.3 JBEAP-18878 - Upgrade Smallrye Opentracing to 1.3.4 and MP Opentracing to 1.3.3 JBEAP-18879 - (7.3.z) Upgrade MicroProfile Config 1.4 JBEAP-18929 - (7.3.z) Upgrade WildFly Elytron from 1.10.5.Final-redhat-00001 to 1.10.6.Final JBEAP-18990 - (7.3.z) Upgrade jasypt from 1.9.2 to 1.9.3-redhat-00001 JBEAP-18991 - (7.3.z) Upgrade opensaml from 3.3.0.redhat-1 to 3.3.1-redhat-00002 JBEAP-19035 - In Building Custom Layers, update pom.xml content for 7.3.1 JBEAP-19054 - Upgrade MP REST Client to 1.4.0.redhat-00004 JBEAP-19066 - Upgrade snakeyaml from 1.18.0.redhat-2 to 1.24.0.redhat-00001 JBEAP-19117 - GSS Upgrade org.jboss.genericjms from 2.0.2.Final-redhat-00001 to 2.0.4.Final-redhat-00001 JBEAP-19133 - GSS Upgrade JSF based on Mojarra 2.3.9.SP08-redhat-00001 to 2.3.9.SP09-redhat-00001 JBEAP-19156 - (7.3.z) Upgrade RESTEasy from 3.11.1.Final.redhat-00001 to 3.11.2.Final.redhat-00001 JBEAP-19181 - (7.3.z) Upgrade WildFly Core to 10.1.5.Final-redhat-00001 JBEAP-19192 - (7.3.z) Update the Japanese translations JBEAP-19232 - (7.3.z) Upgrade WildFly Core from 10.1.5.Final-redhat-00001 to 10.1.7.Final-redhat-00001 JBEAP-19281 - (7.3.z) Upgrade undertow from 2.0.30.SP2-redhat-00001 to 2.0.30.SP3-redhat-00001 JBEAP-19456 - Upgrade wildfly-transaction-client to 1.1.11.Final
-
Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
-
References:
https://access.redhat.com/security/cve/CVE-2018-14371 https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-10172 https://access.redhat.com/security/cve/CVE-2019-12423 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-17573 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1729 https://access.redhat.com/security/cve/CVE-2020-1745 https://access.redhat.com/security/cve/CVE-2020-1757 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-7226 https://access.redhat.com/security/cve/CVE-2020-8840 https://access.redhat.com/security/cve/CVE-2020-9546 https://access.redhat.com/security/cve/CVE-2020-9547 https://access.redhat.com/security/cve/CVE-2020-9548 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXuHcw9zjgjWX9erEAQh0/w//WCP+lyWNO4PYWG/1MPkiCmf9kc3lABZ/ zn5l0eEXpeV248b6iJ+xq4vgT3+7akvE4u0XOd0yV+dxoLXHGeNoNa5RDeRGFtEJ MbFhSdoOMYJDB14vBcZ6Zwc3lGQX8CrBjACI8mrGOpJIniP4H5dBB+Kb8QhXue82 FhdEppkBiTzMe0t1yWP6pIRgmtLcBGrPG8a5v1R/c8n/1ADIJiXaS8xQGI1x+z17 dJIwoQoF1QacJkDq5AqFHdN8cUqsiqsKNKDbm3B5JR6JEwlMSVGtlrMlxsXX2N9F QMB5LuOOUUfSsm2V1C1PCQ3bBPaXFNJk6upZjeRDQtyP0CxQHASrCgT+kkZAof6F SvflzocaHI/umyATKJkJua3WffJm1YXTGMQSGGgkvUdTxKz6RqAWGN5hOU+oced+ sCYp6gieKvwR4a+ubDfXLoyQ01g1/+f+g5EabKJkVKvsEEFxHPzL4w7cWA6ESG88 DnJ+fgf1tycBJD7Lw7IsmN1ckGWHtY+NzOV6btr+4UC4+qeC9D7b9n7UxSK2gGCE zAMEW88O3RYVB6QofV3Ysx/SHbQrdSfuVVGhzgSDHmYTLRjr31xXaQvFP4QAJS9a bD/W2ZVeN3/nSPduC18i1ZYzDmeP3+A+KS2S4/VWjMs5NSMNlF03RX2KDvegbi9J ULGZnlcYAXQ\xcfE3 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce .
The References section of this erratum contains a download link (you must log in to download the update).
The JBoss server process must be restarted for the update to take effect
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202003-1771",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "wildfly",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2.0"
},
{
"model": "wildfly",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2.5"
},
{
"model": "single sign-on",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0"
},
{
"model": "jboss data grid",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0.0"
},
{
"model": "wildfly",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.2.3"
},
{
"model": "jboss enterprise application platform",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0.0"
},
{
"model": "openshift application runtimes",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": null
},
{
"model": "jboss fuse",
"scope": "eq",
"trust": 1.0,
"vendor": "redhat",
"version": "7.0.0"
},
{
"model": "jboss data grid",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"model": "jboss enterprise application platform",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"model": "jboss fuse",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"model": "openshift application runtimes",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"model": "single sign-on",
"scope": null,
"trust": 0.8,
"vendor": "red hat",
"version": null
},
{
"model": "wildfly",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "7.2.0.ga"
},
{
"model": "wildfly",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "7.2.3.ga"
},
{
"model": "wildfly",
"scope": "eq",
"trust": 0.8,
"vendor": "red hat",
"version": "7.2.5.cr2"
},
{
"model": "ops center common services",
"scope": "eq",
"trust": 0.8,
"vendor": "hitachi",
"version": "(\u6d77\u5916\u8ca9\u58f2\u306e\u307f)"
},
{
"model": "hat wildfly",
"scope": null,
"trust": 0.6,
"vendor": "red",
"version": null
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24683"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014948"
},
{
"db": "NVD",
"id": "CVE-2019-14887"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_data_grid:7.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_application_runtimes:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:wildfly:7.2.0:general_availability:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:wildfly:7.2.3:general_availability:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:wildfly:7.2.5:cr2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14887"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "158048"
},
{
"db": "PACKETSTORM",
"id": "156691"
},
{
"db": "PACKETSTORM",
"id": "156692"
},
{
"db": "PACKETSTORM",
"id": "156693"
},
{
"db": "PACKETSTORM",
"id": "156701"
},
{
"db": "PACKETSTORM",
"id": "158038"
},
{
"db": "PACKETSTORM",
"id": "156885"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-782"
}
],
"trust": 1.3
},
"cve": "CVE-2019-14887",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 6.4,
"confidentialityImpact": "Partial",
"exploitabilityScore": null,
"id": "JVNDB-2019-014948",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "NONE",
"baseScore": 9.4,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 10.0,
"id": "CNVD-2020-24683",
"impactScore": 9.2,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.6,
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:N",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"author": "secalert@redhat.com",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.2,
"impactScore": 5.2,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
{
"attackComplexity": "Low",
"attackVector": "Network",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 9.1,
"baseSeverity": "Critical",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "JVNDB-2019-014948",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "None",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2019-14887",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "secalert@redhat.com",
"id": "CVE-2019-14887",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "JVNDB-2019-014948",
"trust": 0.8,
"value": "Critical"
},
{
"author": "CNVD",
"id": "CNVD-2020-24683",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202003-782",
"trust": 0.6,
"value": "CRITICAL"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24683"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014948"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-782"
},
{
"db": "NVD",
"id": "CVE-2019-14887"
},
{
"db": "NVD",
"id": "CVE-2019-14887"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "A flaw was found when an OpenSSL security provider is used with Wildfly, the \u0027enabled-protocols\u0027 value in the Wildfly configuration isn\u0027t honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. Wildfly There is a cryptographic strength vulnerability in.Information may be obtained and tampered with. Red Hat Wildfly is a lightweight open source application server based on JavaEE from American Red Hat (Red Hat) company. The vulnerability stems from the program\u0027s failure to implement the\u0027enabled-protocols\u0027 setting configured by Wildfly. Attackers can use this vulnerability to obtain information spread on the network. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.1 Security update\nAdvisory ID: RHSA-2020:2512-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:2512\nIssue date: 2020-06-10\nCVE Names: CVE-2018-14371 CVE-2019-0205 CVE-2019-0210\n CVE-2019-10172 CVE-2019-12423 CVE-2019-14887\n CVE-2019-17573 CVE-2020-1695 CVE-2020-1729\n CVE-2020-1745 CVE-2020-1757 CVE-2020-6950\n CVE-2020-7226 CVE-2020-8840 CVE-2020-9546\n CVE-2020-9547 CVE-2020-9548 CVE-2020-10688\n CVE-2020-10719\n====================================================================\n1. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nRed Hat JBoss Enterprise Application Platform 7 is a platform for Java\napplications based on the WildFly application runtime. See the Red Hat JBoss Enterprise\nApplication Platform 7.3.1 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* cxf: reflected XSS in the services listing page (CVE-2019-17573)\n\n* cxf-core: cxf: OpenId Connect token service does not properly validate\nthe clientId (CVE-2019-12423)\n\n* jackson-mapper-asl: XML external entity similar to CVE-2016-3720\n(CVE-2019-10172)\n\n* undertow: servletPath in normalized incorrectly leading to dangerous\napplication mapping which could result in security bypass (CVE-2020-1757)\n\n* jackson-databind: XML external entity similar to CVE-2016-3720\n(CVE-2019-10172)\n\n* jackson-mapper-asl: XML external entity similar to CVE-2016-3720\n(CVE-2019-10172)\n\n* resteasy-jaxrs: resteasy: Improper validation of response header in\nMediaTypeHeaderDelegate.java class (CVE-2020-1695)\n\n* cryptacular: excessive memory allocation during a decode operation\n(CVE-2020-7226)\n\n* smallrye-config: SmallRye: SecuritySupport class is incorrectly public\nand contains a static method to access the current threads context class\nloader (CVE-2020-1729)\n\n* resteasy: RESTEASY003870 exception in RESTEasy can lead to a reflected\nXSS attack (CVE-2020-10688)\n\n* jackson-databind: Lacks certain xbean-reflect/JNDI blocking\n(CVE-2020-8840)\n\n* undertow: invalid HTTP request with large chunk size (CVE-2020-10719)\n\n* jackson-databind: Serialization gadgets in shaded-hikari-config\n(CVE-2020-9546)\n\n* jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)\n\n* jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)\n\n* undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)\n\n* libthrift: thrift: Endless loop when feed with specific input data\n(CVE-2019-0205)\n\n* libthrift: thrift: Out-of-bounds read related to TJSONProtocol or\nTSimpleJSONProtocol (CVE-2019-0210)\n\n* wildfly: The \u0027enabled-protocols\u0027 value in legacy security is not\nrespected if OpenSSL security provider is in use (CVE-2019-14887)\n\n* jsf-impl: Mojarra: Path traversal via either the loc parameter or the con\nparameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)\n\n* jsf-impl: mojarra: Path traversal in\nResourceManager.java:getLocalePrefix() via the loc parameter\n(CVE-2018-14371)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, see the CVE page(s) listed in the\nReferences section. \n\n4. Solution:\n\nBefore applying this update, ensure all previously released errata relevant\nto your system have been applied. \n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1607709 - CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter\n1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720\n1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class\n1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass\n1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol\n1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data\n1772008 - CVE-2019-14887 wildfly: The \u0027enabled-protocols\u0027 value in legacy security is not respected if OpenSSL security provider is in use\n1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId\n1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page\n1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation\n1802444 - CVE-2020-1729 SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader\n1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371\n1807305 - CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability\n1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack\n1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking\n1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config\n1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap\n1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core\n1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-16114 - (7.3.z) Upgrade jboss-vfs to 3.2.15.Final\nJBEAP-18060 - [GSS](7.3.z) Upgrade weld from 3.1.2.Final-redhat-00001 to 3.1.4.Final-redhat-00001\nJBEAP-18163 - (7.3.z) Upgrade HAL from 3.2.3.Final-redhat-00001 to 3.2.8.Final-redhat-00001\nJBEAP-18221 - (7.3.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00010 to 2.5.5.SP12-redhat-00012\nJBEAP-18240 - (7.3.z) Update the Chinese translations in WildFly Core\nJBEAP-18241 - (7.3.z) Update the Japanese translations in WildFly Core\nJBEAP-18273 - (7.3.z) Upgrade IronJacamar from 1.4.19.Final to 1.4.20.Final\nJBEAP-18277 - [GSS](7.3.z) Upgrade JBoss JSF API from 3.0.0.SP01-redhat-00001 to 3.0.0.SP02-redhat-00001\nJBEAP-18288 - [GSS](7.3.z) Upgrade FasterXML from 2.10.0 to 2.10.3\nJBEAP-18294 - (7.3.z) Upgrade JAXB from 2.3.1 to 2.3.3-b02 and com.sun.istack from 3.0.7 to 3.0.10\nJBEAP-18302 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.18 to 1.0.20\nJBEAP-18315 - [GSS](7.3.z) Upgrade Artemis from 2.9.0.redhat-00005 to 2.9.0.redhat-00010\nJBEAP-18346 - [GSS](7.3.z) Upgrade jakarta.el from 3.0.2.redhat-00001 to 3.0.3.redhat-00002\nJBEAP-18352 - [GSS](7.3.z) Upgrade JBoss Remoting from 5.0.16.Final-redhat-00001 to 5.0.18.Final-redhat-00001\nJBEAP-18361 - [GSS](7.3.z) Upgrade Woodstox from 5.0.3 to 6.0.3\nJBEAP-18367 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.15 to 5.3.16\nJBEAP-18393 - [GSS](7.3.z) Update $JBOSS_HOME/docs/schema to show https schema URL instead of http\nJBEAP-18398 - Tracker bug for the EAP 7.3.1 release for RHEL-7\nJBEAP-18409 - [GSS](7.3.z) Upgrade Infinispan from 9.4.16.Final-redhat-00002 to 9.4.18.Final-redhat-00001\nJBEAP-18527 - (7.3.z) Upgrade WildFly Naming Client from 1.0.10.Final to 1.0.12.Final\nJBEAP-18528 - (7.3.z) Upgrade jboss-ejb-client from 4.0.27.Final to 4.0.31.Final-redhat-00001\nJBEAP-18596 - [GSS](7.3.z) Upgrade JBoss Modules from 1.9.1 to 1.10.0\nJBEAP-18598 - [GSS](7.3.z) Upgrade Bouncycastle from 1.60.0-redhat-00001 to 1.60.0-redhat-00002\nJBEAP-18640 - [Runtimes] (7.3.x) Upgrade slf4j-jboss-logmanager from 1.0.3.GA.redhat-2 to 1.0.4.GA.redhat-00001\nJBEAP-18653 - (7.3.z) Upgrade Apache CXF from 3.3.4.redhat-00001 to 3.3.5.redhat-00001\nJBEAP-18706 - (7.3.z) Upgrade elytron-web from 1.6.0.Final to 1.6.1.Final\nJBEAP-18770 - Upgrade Jandex to 2.1.2.Final-redhat-00001\nJBEAP-18775 - (7.3.z) Upgrade WildFly Core to 10.1.4.Final-redhat-00001\nJBEAP-18788 - (7.3.x) Upgrade wss4j from 2.2.4.redhat-00001 to 2.2.5.redhat-00001\nJBEAP-18790 - (7.3.z) Upgrade cryptacular from 1.2.0.redhat-1 to 1.2.4.redhat-00001\nJBEAP-18818 - (7.3.z) Upgrade PicketBox from 5.0.3.Final-redhat-00005 to 5.0.3.Final-redhat-00006\nJBEAP-18836 - [GSS](7.3.z) Upgrade Remoting JMX from 3.0.3 to 3.0.4\nJBEAP-18850 - (7.3.z) Upgrade smallrye-config from 1.4.1 to 1.6.2\nJBEAP-18870 - Upgrade WildFly Common to 1.5.2.Final.redhat-00002\nJBEAP-18875 - Upgrade MicroProfile Metrics API to 2.3 and smallrye-metrics to 2.4.0\nJBEAP-18876 - Upgrade Smallrye Health to 2.2.0 and MP Health API to 2.2\nJBEAP-18877 - (7.3.z) Upgrade Jaeger client to 0.34.3\nJBEAP-18878 - Upgrade Smallrye Opentracing to 1.3.4 and MP Opentracing to 1.3.3\nJBEAP-18879 - (7.3.z) Upgrade MicroProfile Config 1.4\nJBEAP-18929 - (7.3.z) Upgrade WildFly Elytron from 1.10.5.Final-redhat-00001 to 1.10.6.Final\nJBEAP-18990 - (7.3.z) Upgrade jasypt from 1.9.2 to 1.9.3-redhat-00001\nJBEAP-18991 - (7.3.z) Upgrade opensaml from 3.3.0.redhat-1 to 3.3.1-redhat-00002\nJBEAP-19035 - In Building Custom Layers, update pom.xml content for 7.3.1\nJBEAP-19054 - Upgrade MP REST Client to 1.4.0.redhat-00004\nJBEAP-19066 - Upgrade snakeyaml from 1.18.0.redhat-2 to 1.24.0.redhat-00001\nJBEAP-19117 - [GSS](7.3.z) Upgrade org.jboss.genericjms from 2.0.2.Final-redhat-00001 to 2.0.4.Final-redhat-00001\nJBEAP-19133 - [GSS](7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP08-redhat-00001 to 2.3.9.SP09-redhat-00001\nJBEAP-19156 - (7.3.z) Upgrade RESTEasy from 3.11.1.Final.redhat-00001 to 3.11.2.Final.redhat-00001\nJBEAP-19181 - (7.3.z) Upgrade WildFly Core to 10.1.5.Final-redhat-00001\nJBEAP-19192 - (7.3.z) Update the Japanese translations\nJBEAP-19232 - (7.3.z) Upgrade WildFly Core from 10.1.5.Final-redhat-00001 to 10.1.7.Final-redhat-00001\nJBEAP-19281 - (7.3.z) Upgrade undertow from 2.0.30.SP2-redhat-00001 to 2.0.30.SP3-redhat-00001\nJBEAP-19456 - Upgrade wildfly-transaction-client to 1.1.11.Final\n\n7. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2018-14371\nhttps://access.redhat.com/security/cve/CVE-2019-0205\nhttps://access.redhat.com/security/cve/CVE-2019-0210\nhttps://access.redhat.com/security/cve/CVE-2019-10172\nhttps://access.redhat.com/security/cve/CVE-2019-12423\nhttps://access.redhat.com/security/cve/CVE-2019-14887\nhttps://access.redhat.com/security/cve/CVE-2019-17573\nhttps://access.redhat.com/security/cve/CVE-2020-1695\nhttps://access.redhat.com/security/cve/CVE-2020-1729\nhttps://access.redhat.com/security/cve/CVE-2020-1745\nhttps://access.redhat.com/security/cve/CVE-2020-1757\nhttps://access.redhat.com/security/cve/CVE-2020-6950\nhttps://access.redhat.com/security/cve/CVE-2020-7226\nhttps://access.redhat.com/security/cve/CVE-2020-8840\nhttps://access.redhat.com/security/cve/CVE-2020-9546\nhttps://access.redhat.com/security/cve/CVE-2020-9547\nhttps://access.redhat.com/security/cve/CVE-2020-9548\nhttps://access.redhat.com/security/cve/CVE-2020-10688\nhttps://access.redhat.com/security/cve/CVE-2020-10719\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/\n\n9. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXuHcw9zjgjWX9erEAQh0/w//WCP+lyWNO4PYWG/1MPkiCmf9kc3lABZ/\nzn5l0eEXpeV248b6iJ+xq4vgT3+7akvE4u0XOd0yV+dxoLXHGeNoNa5RDeRGFtEJ\nMbFhSdoOMYJDB14vBcZ6Zwc3lGQX8CrBjACI8mrGOpJIniP4H5dBB+Kb8QhXue82\nFhdEppkBiTzMe0t1yWP6pIRgmtLcBGrPG8a5v1R/c8n/1ADIJiXaS8xQGI1x+z17\ndJIwoQoF1QacJkDq5AqFHdN8cUqsiqsKNKDbm3B5JR6JEwlMSVGtlrMlxsXX2N9F\nQMB5LuOOUUfSsm2V1C1PCQ3bBPaXFNJk6upZjeRDQtyP0CxQHASrCgT+kkZAof6F\nSvflzocaHI/umyATKJkJua3WffJm1YXTGMQSGGgkvUdTxKz6RqAWGN5hOU+oced+\nsCYp6gieKvwR4a+ubDfXLoyQ01g1/+f+g5EabKJkVKvsEEFxHPzL4w7cWA6ESG88\nDnJ+fgf1tycBJD7Lw7IsmN1ckGWHtY+NzOV6btr+4UC4+qeC9D7b9n7UxSK2gGCE\nzAMEW88O3RYVB6QofV3Ysx/SHbQrdSfuVVGhzgSDHmYTLRjr31xXaQvFP4QAJS9a\nbD/W2ZVeN3/nSPduC18i1ZYzDmeP3+A+KS2S4/VWjMs5NSMNlF03RX2KDvegbi9J\nULGZnlcYAXQ\\xcfE3\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\nThe JBoss server process must be restarted for the update to take effect",
"sources": [
{
"db": "NVD",
"id": "CVE-2019-14887"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014948"
},
{
"db": "CNVD",
"id": "CNVD-2020-24683"
},
{
"db": "PACKETSTORM",
"id": "158048"
},
{
"db": "PACKETSTORM",
"id": "156691"
},
{
"db": "PACKETSTORM",
"id": "156692"
},
{
"db": "PACKETSTORM",
"id": "156693"
},
{
"db": "PACKETSTORM",
"id": "156701"
},
{
"db": "PACKETSTORM",
"id": "158038"
},
{
"db": "PACKETSTORM",
"id": "156885"
}
],
"trust": 2.79
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2019-14887",
"trust": 3.7
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014948",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "158048",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "156701",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "156885",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2020-24683",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "163798",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "157859",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "157741",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1024",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2021.2731",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.0915",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1052",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1882",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1766",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2050",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2042",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202003-782",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "156691",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "156692",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "156693",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158038",
"trust": 0.1
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24683"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014948"
},
{
"db": "PACKETSTORM",
"id": "158048"
},
{
"db": "PACKETSTORM",
"id": "156691"
},
{
"db": "PACKETSTORM",
"id": "156692"
},
{
"db": "PACKETSTORM",
"id": "156693"
},
{
"db": "PACKETSTORM",
"id": "156701"
},
{
"db": "PACKETSTORM",
"id": "158038"
},
{
"db": "PACKETSTORM",
"id": "156885"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-782"
},
{
"db": "NVD",
"id": "CVE-2019-14887"
}
]
},
"id": "VAR-202003-1771",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24683"
}
],
"trust": 1.6
},
"iot_taxonomy": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24683"
}
]
},
"last_update_date": "2024-07-23T22:09:01.387000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "hitachi-sec-2020-125",
"trust": 0.8,
"url": "http://www.hitachi.co.jp/prod/comp/soft1/global/security/info/vuls/hitachi-sec-2020-125/index.html"
},
{
"title": "Bug 1772008",
"trust": 0.8,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-14887"
},
{
"title": "hitachi-sec-2020-125",
"trust": 0.8,
"url": "https://www.hitachi.co.jp/prod/comp/soft1/security/info/vuls/hitachi-sec-2020-125/index.html"
},
{
"title": "Patch for Red Hat Wildfly encryption problem vulnerability",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/215315"
},
{
"title": "Red Hat Wildfly Security vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=111917"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2020-24683"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014948"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-782"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "CWE-326",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014948"
},
{
"db": "NVD",
"id": "CVE-2019-14887"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14887"
},
{
"trust": 1.6,
"url": "https://issues.redhat.com/browse/jbeap-17965"
},
{
"trust": 1.6,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=cve-2019-14887"
},
{
"trust": 1.6,
"url": "https://security.netapp.com/advisory/ntap-20200327-0007/"
},
{
"trust": 1.3,
"url": "https://access.redhat.com/security/cve/cve-2019-14887"
},
{
"trust": 0.8,
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-14887"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0210"
},
{
"trust": 0.7,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0205"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2019-0210"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.7,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.7,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2019-0205"
},
{
"trust": 0.6,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1882/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157741/red-hat-security-advisory-2020-2067-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2050/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/156701/red-hat-security-advisory-2020-0804-01.html"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/red-hat-jboss-enterprise-application-platform-three-vulnerabilities-31779"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.0915/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158048/red-hat-security-advisory-2020-2512-01.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/156885/red-hat-security-advisory-2020-0962-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2042/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/157859/red-hat-security-advisory-2020-2333-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2021.2731"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1052/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1024/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1766/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/163798/red-hat-security-advisory-2021-3140-01.html"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20444"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12400"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2019-12400"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2019-20445"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10086"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2019-20444"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2019-10086"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-7238"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2020-7238"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20445"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1745"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-1745"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-6950"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-9547"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-10172"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-17573"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-1695"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-9546"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9547"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10688"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-17573"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10719"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-7226"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-9548"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10172"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1695"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-1729"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-10688"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9548"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-1757"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-8840"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9546"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8840"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1729"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-7226"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-6950"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-12423"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-10719"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12423"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14371"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2018-14371"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1757"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2512"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:0811"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform\u0026downloadtype=securitypatches\u0026version=7.2"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:0806"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:0805"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:0804"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2515"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:0962"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014948"
},
{
"db": "PACKETSTORM",
"id": "158048"
},
{
"db": "PACKETSTORM",
"id": "156691"
},
{
"db": "PACKETSTORM",
"id": "156692"
},
{
"db": "PACKETSTORM",
"id": "156693"
},
{
"db": "PACKETSTORM",
"id": "156701"
},
{
"db": "PACKETSTORM",
"id": "158038"
},
{
"db": "PACKETSTORM",
"id": "156885"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-782"
},
{
"db": "NVD",
"id": "CVE-2019-14887"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "CNVD",
"id": "CNVD-2020-24683"
},
{
"db": "JVNDB",
"id": "JVNDB-2019-014948"
},
{
"db": "PACKETSTORM",
"id": "158048"
},
{
"db": "PACKETSTORM",
"id": "156691"
},
{
"db": "PACKETSTORM",
"id": "156692"
},
{
"db": "PACKETSTORM",
"id": "156693"
},
{
"db": "PACKETSTORM",
"id": "156701"
},
{
"db": "PACKETSTORM",
"id": "158038"
},
{
"db": "PACKETSTORM",
"id": "156885"
},
{
"db": "CNNVD",
"id": "CNNVD-202003-782"
},
{
"db": "NVD",
"id": "CVE-2019-14887"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-24683"
},
{
"date": "2020-03-31T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-014948"
},
{
"date": "2020-06-11T16:36:20",
"db": "PACKETSTORM",
"id": "158048"
},
{
"date": "2020-03-12T19:47:56",
"db": "PACKETSTORM",
"id": "156691"
},
{
"date": "2020-03-12T19:49:17",
"db": "PACKETSTORM",
"id": "156692"
},
{
"date": "2020-03-12T19:52:56",
"db": "PACKETSTORM",
"id": "156693"
},
{
"date": "2020-03-12T20:12:10",
"db": "PACKETSTORM",
"id": "156701"
},
{
"date": "2020-06-11T16:34:25",
"db": "PACKETSTORM",
"id": "158038"
},
{
"date": "2020-03-24T15:10:43",
"db": "PACKETSTORM",
"id": "156885"
},
{
"date": "2020-03-12T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-782"
},
{
"date": "2020-03-16T15:15:12.130000",
"db": "NVD",
"id": "CVE-2019-14887"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-04-24T00:00:00",
"db": "CNVD",
"id": "CNVD-2020-24683"
},
{
"date": "2020-08-24T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2019-014948"
},
{
"date": "2021-11-03T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202003-782"
},
{
"date": "2021-11-02T18:10:07.537000",
"db": "NVD",
"id": "CVE-2019-14887"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-782"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Wildfly Cryptographic strength vulnerabilities in",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2019-014948"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "other",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202003-782"
}
],
"trust": 0.6
}
}