Search for packages
| purl | pkg:rpm/redhat/eap7-wildfly-openssl-linux@1.0.12-6.Final_redhat_00001.1.ep7?arch=el7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5585-a76n-zubf
Aliases: CVE-2023-5379 |
Allocation of Resources Without Limits or Throttling A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS). | There are no reported fixed by versions. |
|
VCID-62gn-nwup-8uat
Aliases: CVE-2022-1259 |
undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) | There are no reported fixed by versions. |
|
VCID-6ssa-j1q1-c3cs
Aliases: CVE-2022-3143 GHSA-jmj6-p2j9-68cp |
Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses `java.util.Arrays.equals` in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use `java.security.MessageDigest.isEqual` instead. This flaw allows an attacker to access secure information or impersonate an authed user. | There are no reported fixed by versions. |
|
VCID-8p4t-8f51-h3dc
Aliases: CVE-2021-37137 GHSA-9vjp-v76f-g363 |
Uncontrolled Resource Consumption The Snappy frame decoder function does not restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. | There are no reported fixed by versions. |
|
VCID-9p6a-t8zz-jkfd
Aliases: CVE-2024-1233 GHSA-v4mm-q8fv-r2w5 |
WildFly Elytron: SSRF security issue A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability. | There are no reported fixed by versions. |
|
VCID-9v3p-qkzz-ukgg
Aliases: CVE-2020-25644 GHSA-hxj4-885f-grgp |
Wildfly-OpenSSL memory leak flaw A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability. | There are no reported fixed by versions. |
|
VCID-beaj-uk9m-17be
Aliases: CVE-2020-27782 GHSA-rhcw-wjcm-9h6g |
Denial of service in Undertow A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1. | There are no reported fixed by versions. |
|
VCID-gkzd-prsr-gqc8
Aliases: CVE-2020-13949 GHSA-g2fg-mr77-6vrm |
Uncontrolled Resource Consumption in Apache Thrift In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. | There are no reported fixed by versions. |
|
VCID-jz3d-vvfb-jfbw
Aliases: CVE-2022-4492 GHSA-pfcc-3g6r-8rg8 |
Undertow client not checking server identity presented by server certificate in https connections The undertow client is not checking the server identity presented by the server certificate in https connections. This should be performed by default in https and in http/2. | There are no reported fixed by versions. |
|
VCID-mapy-1mup-wfgx
Aliases: CVE-2020-10740 GHSA-vrmw-2xhq-hrmp |
Wildfly Unsafe Deserialization Vulnerability A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly. | There are no reported fixed by versions. |
|
VCID-v6ek-y7cn-kycd
Aliases: CVE-2020-36518 GHSA-57j2-w4cx-62h2 |
Uncontrolled Resource Consumption jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. | There are no reported fixed by versions. |
|
VCID-vdv3-7dwp-suab
Aliases: CVE-2020-25638 GHSA-j8jw-g6fq-mp7h |
SQL injection in hibernate-core A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity. | There are no reported fixed by versions. |
|
VCID-xyc4-63ra-mfh2
Aliases: CVE-2021-37136 GHSA-grg4-wf29-r9vv |
Uncontrolled Resource Consumption The Bzip2 decompression decoder function does not allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack | There are no reported fixed by versions. |
|
VCID-ysp6-t713-ffgr
Aliases: CVE-2021-28170 GHSA-v6w3-2prq-h95f |
Improper Input Validation in Jakarta Expression Language In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||