Search for packages
| purl | pkg:rpm/redhat/eap7-jboss-server-migration@1.0.3-4.Final_redhat_4.1.ep7?arch=el6 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2e2u-nvuu-kfbs
Aliases: CVE-2017-7559 GHSA-rj76-h87p-r3wf |
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) Invalid characters are allowed in query strings and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. | There are no reported fixed by versions. |
|
VCID-42tt-ernk-y3bn
Aliases: CVE-2016-5406 |
EAP7 Privilege escalation when managing domain including earlier version slaves | There are no reported fixed by versions. |
|
VCID-77xn-dtdn-hfa2
Aliases: CVE-2017-2666 GHSA-mcfm-h73v-635m |
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) It was discovered in Undertow that the code that parses the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. | There are no reported fixed by versions. |
|
VCID-9u3r-n3zy-53f1
Aliases: CVE-2017-12167 |
EAP-7: Wrong privileges on multiple property files | There are no reported fixed by versions. |
|
VCID-9zut-79gt-1bgy
Aliases: CVE-2017-2670 GHSA-3x7h-5hfr-hvjm |
It was found in Undertow before 1.3.28 that with non-clean TCP close, the Websocket server gets into infinite loop on every IO thread, effectively causing DoS. | There are no reported fixed by versions. |
|
VCID-ay2f-3xcv-dqdc
Aliases: CVE-2016-4993 GHSA-qcqr-hcjq-whfq |
Improper Neutralization of CRLF Sequences in HTTP Headers CRLF injection vulnerability in the Undertow web server allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | There are no reported fixed by versions. |
|
VCID-e6qx-uhr4-kqb8
Aliases: CVE-2016-8627 |
admin-cli: Potential EAP resource starvation DOS attack via GET requests for server log files | There are no reported fixed by versions. |
|
VCID-hexa-jm8k-y3hc
Aliases: CVE-2016-8656 |
jboss: jbossas: unsafe chown of server.log in jboss init script allows privilege escalation | There are no reported fixed by versions. |
|
VCID-jtbq-4rr9-vud6
Aliases: CVE-2017-2595 |
wildfly: Arbitrary file read via path traversal | There are no reported fixed by versions. |
|
VCID-pd7m-bhqf-kkge
Aliases: CVE-2017-7536 GHSA-xxgp-pcfc-3vgc |
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). | There are no reported fixed by versions. |
|
VCID-tdj6-jjmb-tkav
Aliases: CVE-2016-6311 |
EAP7: Internal IP address disclosed on redirect when request header Host field is not set | There are no reported fixed by versions. |
|
VCID-tzmu-y1p4-8bac
Aliases: CVE-2016-9589 GHSA-p4xg-cpr9-vwvj |
Uncontrolled Resource Consumption Undertow in Red Hat wildfly before version 11.0.0.Beta1 is vulnerable to a resource exhaustion resulting in a denial of service. Undertow keeps a cache of seen HTTP headers in persistent connections. It was found that this cache can easily exploited to fill memory with garbage, up to "max-headers" (default 200) * "max-header-size" (default 1MB) per active TCP connection. | There are no reported fixed by versions. |
|
VCID-v84e-sf92-dqa1
Aliases: CVE-2017-7525 GHSA-qxxx-2pp7-5hmx |
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. | There are no reported fixed by versions. |
|
VCID-wazp-5818-mqbw
Aliases: CVE-2016-4978 GHSA-r9vv-xj4w-g8m8 |
Deserialization of Untrusted Data The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath. | There are no reported fixed by versions. |
|
VCID-wpvb-dr22-bfde
Aliases: CVE-2016-7061 |
EAP: Sensitive data can be exposed at the server level in domain mode | There are no reported fixed by versions. |
|
VCID-y5s2-w88t-8uhx
Aliases: CVE-2016-7046 GHSA-3f57-w2rp-72fc |
Uncontrolled Resource Consumption Remote attackers could cause a denial of service (CPU and disk consumption) via a long URL. | There are no reported fixed by versions. |
|
VCID-ygp7-kj2w-syat
Aliases: CVE-2017-12165 GHSA-5gg7-5wv8-4gcj |
Inconsistent Interpretation of HTTP Requests (HTTP Request Smuggling) It was discovered that Undertow processes http request headers with unusual whitespaces which can cause possible http request smuggling. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||