Search for packages
| purl | pkg:rpm/redhat/eap7-resteasy@3.0.25-1.Final_redhat_1.1.ep7?arch=el6 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1w4t-um5v-jkfv
Aliases: CVE-2018-1048 GHSA-prfw-3qx6-g9xr |
Path Traversal The AJP connector in undertow does not use the `ALLOW_ENCODED_SLASH` option and thus allow the the slash / anti-slash characters encoded in the url which may lead to path traversal and result in the information disclosure of arbitrary local files. | There are no reported fixed by versions. |
|
VCID-22at-v7he-fqek
Aliases: CVE-2017-15089 GHSA-46r5-59fg-2fjc |
Deserialization of Untrusted Data It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks. | There are no reported fixed by versions. |
|
VCID-2ez8-r9wv-53du
Aliases: CVE-2017-12196 GHSA-cp7v-vmv7-6x2q |
undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server does not ensure that the value of URI in the Authorization header matches the URI in HTTP request line. This allows the attacker to cause a MITM attack and access the desired content on the server. | There are no reported fixed by versions. |
|
VCID-6qhb-4jya-hffz
Aliases: CVE-2017-7561 GHSA-57q5-x8jf-g7h8 |
Inconsistent Interpretation of HTTP Requests in Red Hat JBoss EAP Red Hat JBoss EAP version 3.0.7.Final until 3.0.25.Final, 3.5.0.CR1, and 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact. | There are no reported fixed by versions. |
|
VCID-bc2x-rwrd-tya6
Aliases: CVE-2017-17485 GHSA-rfx6-vp9g-rh7v |
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. | There are no reported fixed by versions. |
|
VCID-bss3-uqjn-qycz
Aliases: CVE-2017-12174 GHSA-gc96-h5pr-839j |
Uncontrolled Resource Consumption It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. This may result in a heap memory exhaustion, full GC, or OutOfMemoryError. | There are no reported fixed by versions. |
|
VCID-ceub-d4s9-dkcd
Aliases: CVE-2017-15095 GHSA-h592-38cm-4ggp |
Deserialization of Untrusted Data A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the `readValue` method of the `ObjectMapper`. | There are no reported fixed by versions. |
|
VCID-unwq-s63h-uuaw
Aliases: CVE-2018-5968 GHSA-w3f4-3q6j-rh82 |
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||