VulnerableCode Package Details - pkg:rpm/redhat/eap7-xml-security@2.0.10-1.redhat

Search for packages

Vulnerability	Summary	Fixed by
VCID-669s-jgrm-efgg Aliases: CVE-2018-8039 GHSA-jc7r-v6fg-2gpf	It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.	There are no reported fixed by versions.
VCID-f4hk-8zp4-9fd3 Aliases: CVE-2018-10862 GHSA-w8r2-5j8x-x8j6	WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. This is an instance of the 'Zip Slip' vulnerability.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-669s-jgrm-efgg
Aliases:
CVE-2018-8039
GHSA-jc7r-v6fg-2gpf

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

There are no reported fixed by versions.

VCID-f4hk-8zp4-9fd3
Aliases:
CVE-2018-10862
GHSA-w8r2-5j8x-x8j6

WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. This is an instance of the 'Zip Slip' vulnerability.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:23:53.298001+00:00	RedHat Importer	Affected by	VCID-f4hk-8zp4-9fd3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-10862.json	38.0.0
2026-04-01T14:23:49.777432+00:00	RedHat Importer	Affected by	VCID-669s-jgrm-efgg	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-8039.json	38.0.0

2026-04-01T14:23:53.298001+00:00

RedHat Importer

Affected by

VCID-f4hk-8zp4-9fd3

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-10862.json

38.0.0

2026-04-01T14:23:49.777432+00:00

RedHat Importer

Affected by

VCID-669s-jgrm-efgg

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-8039.json

38.0.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.0