Search for packages
| purl | pkg:rpm/redhat/eap7-jboss-jsf-api_2.3_spec@3.0.0-3.SP02_redhat_00001.1?arch=el7eap |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5ske-cfcx-6fbw
Aliases: CVE-2020-7226 GHSA-x64g-4xx9-fh6x |
Denial of Service in Cryptacular CiphertextHeader.java in Cryptacular before 1.2.4, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data. | There are no reported fixed by versions. |
|
VCID-6r6v-dxqb-3fe1
Aliases: CVE-2019-0210 GHSA-jq7p-26h5-w78r |
Out-of-bounds read in Apache Thrift In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. | There are no reported fixed by versions. |
|
VCID-6zc1-mdqf-nqbd
Aliases: CVE-2019-14887 |
wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use | There are no reported fixed by versions. |
|
VCID-7x9r-v8nm-nbf7
Aliases: CVE-2019-10172 GHSA-r6j9-8759-g62w |
Improper Restriction of XML External Entity Reference in jackson-mapper-asl A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar to CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes. | There are no reported fixed by versions. |
|
VCID-aedf-8vvz-37cp
Aliases: CVE-2020-1695 GHSA-63cq-ppq8-cw6g |
Improper Input Validation in RESTEasy A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed. | There are no reported fixed by versions. |
|
VCID-bydt-bkf4-rbh2
Aliases: CVE-2020-9546 GHSA-5p34-5m6p-p58g |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | There are no reported fixed by versions. |
|
VCID-dvxb-wu3m-xuaz
Aliases: CVE-2020-1745 GHSA-gv2w-88hx-8m9r |
Improper Authorization in Undertoe A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution. | There are no reported fixed by versions. |
|
VCID-edja-kj1j-7kh5
Aliases: CVE-2019-12423 GHSA-42f2-f9vc-6365 |
Private key leak in Apache CXF Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter `rs.security.keystore.type` to `jwk`. For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. `oct` keys, which contain secret keys, are not returned at all. | There are no reported fixed by versions. |
|
VCID-jvp6-892x-nkc7
Aliases: CVE-2020-9548 GHSA-p43x-xfjf-5jhr |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | There are no reported fixed by versions. |
|
VCID-k6c9-mckm-cyhy
Aliases: CVE-2020-10719 GHSA-cccf-7xw3-p2vr |
HTTP Request Smuggling in Undertow A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling. | There are no reported fixed by versions. |
|
VCID-qktn-umfn-dkhv
Aliases: CVE-2020-10688 GHSA-29qj-rvv6-qrmv |
Cross-site scripting in RESTEasy A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. | There are no reported fixed by versions. |
|
VCID-ruae-hqdg-m7ek
Aliases: CVE-2020-9547 GHSA-q93h-jc49-78gg |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`). | There are no reported fixed by versions. |
|
VCID-sev5-dmhe-p3e3
Aliases: CVE-2020-1719 GHSA-p9cf-qjxq-vxw6 |
Privilege Context Switching Error in wildlfy A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected. | There are no reported fixed by versions. |
|
VCID-sxup-wzjc-tue1
Aliases: CVE-2020-1757 GHSA-2w73-fqqj-c92p |
Improper Input Validation in Undertow A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass. | There are no reported fixed by versions. |
|
VCID-tbhh-2tte-kkdk
Aliases: CVE-2020-6950 GHSA-rpq8-mmwh-q9hm |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter. | There are no reported fixed by versions. |
|
VCID-ud7m-cc54-3qbv
Aliases: CVE-2018-14371 GHSA-43q7-q5vp-3g68 |
The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications. | There are no reported fixed by versions. |
|
VCID-urxh-sp91-kuet
Aliases: CVE-2020-10705 GHSA-g4cp-h53p-v3v8 |
Allocation of Resources Without Limits or Throttling in Undertow A flaw was discovered in Undertow in versions before Undertow 2.1.1.Final where certain requests to the "Expect: 100-continue" header may cause an out of memory error. This flaw may potentially lead to a denial of service. | There are no reported fixed by versions. |
|
VCID-vhk6-ks9x-1kes
Aliases: CVE-2020-1729 GHSA-54fx-gm74-q676 |
Incorrect Authorization A flaw was found in SmallRye's API through version 1.6.1. The API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied. The largest threat from this vulnerability is a threat to data confidentiality. This is fixed in SmallRye 1.6.2 | There are no reported fixed by versions. |
|
VCID-wkt1-qfpk-ybg4
Aliases: CVE-2019-17573 GHSA-f93p-f762-vr53 |
Reflected Cross-Site Scripting in Apache CXF By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack, which allows a malicious actor to inject javascript into the web page. Please note that the attack exploits a feature which is not typically not present in modern browsers, who remove dot segments before sending the request. However, Mobile applications may be vulnerable. | There are no reported fixed by versions. |
|
VCID-xnyb-nuwm-pkdr
Aliases: CVE-2020-8840 GHSA-4w82-r329-3q67 |
Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. | There are no reported fixed by versions. |
|
VCID-y1ca-jr94-kfb4
Aliases: CVE-2019-0205 GHSA-rj7p-rfgp-852x |
Multiple vulnerabilities have been found in Apache Thrift, the worst of which could result in a Denial of Service condition. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||