Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/jbossweb@7.5.28-1.Final_redhat_1.1.ep6?arch=el5
purl pkg:rpm/redhat/jbossweb@7.5.28-1.Final_redhat_1.1.ep6?arch=el5
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.5
Vulnerabilities affecting this package (8)
Vulnerability Summary Fixed by
VCID-2sbh-sy57-3uez
Aliases:
CVE-2018-1304
GHSA-6rxj-58jh-436r
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. There are no reported fixed by versions.
VCID-bc2x-rwrd-tya6
Aliases:
CVE-2017-17485
GHSA-rfx6-vp9g-rh7v
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath. There are no reported fixed by versions.
VCID-ceub-d4s9-dkcd
Aliases:
CVE-2017-15095
GHSA-h592-38cm-4ggp
Deserialization of Untrusted Data A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the `readValue` method of the `ObjectMapper`. There are no reported fixed by versions.
VCID-fzrt-143x-tqdd
Aliases:
CVE-2018-8088
GHSA-w77p-8cfg-2x43
Improper Access Control in SLF4J org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data. EventData in the slf4j-ext module in QOS.CH SLF4J, has been fixed in SLF4J versions 1.7.26 later and in the 2.0.x series. There are no reported fixed by versions.
VCID-ke61-vddr-4udk
Aliases:
CVE-2017-3163
GHSA-387v-84cv-9qmc
When using the Index Replication feature, Apache Solr nodes can pull index files from a master/leader node using an HTTP API which accepts a file name. However, Solr before 5.5.4 and 6.x before 6.4.1 did not validate the file name, hence it was possible to craft a special request involving path traversal, leaving any file readable to the Solr server process exposed. Solr servers protected and restricted by firewall rules and/or authentication would not be at risk since only trusted clients and users would gain direct HTTP access. There are no reported fixed by versions.
VCID-v84e-sf92-dqa1
Aliases:
CVE-2017-7525
GHSA-qxxx-2pp7-5hmx
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. There are no reported fixed by versions.
VCID-wazp-5818-mqbw
Aliases:
CVE-2016-4978
GHSA-r9vv-xj4w-g8m8
Deserialization of Untrusted Data The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemis REST component in Apache ActiveMQ Artemis before 1.4.0 might allow remote authenticated users with permission to send messages to the Artemis broker to deserialize arbitrary objects and execute arbitrary code by leveraging gadget classes being present on the Artemis classpath. There are no reported fixed by versions.
VCID-x6g1-qw1v-jbas
Aliases:
CVE-2018-7489
GHSA-cggj-fvv3-cqwv
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T14:34:28.483189+00:00 RedHat Importer Affected by VCID-wazp-5818-mqbw https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-4978.json 38.0.0
2026-04-01T14:31:55.194001+00:00 RedHat Importer Affected by VCID-ke61-vddr-4udk https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-3163.json 38.0.0
2026-04-01T14:29:37.944414+00:00 RedHat Importer Affected by VCID-v84e-sf92-dqa1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7525.json 38.0.0
2026-04-01T14:27:06.072498+00:00 RedHat Importer Affected by VCID-ceub-d4s9-dkcd https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-15095.json 38.0.0
2026-04-01T14:26:52.487351+00:00 RedHat Importer Affected by VCID-bc2x-rwrd-tya6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-17485.json 38.0.0
2026-04-01T14:26:27.984196+00:00 RedHat Importer Affected by VCID-2sbh-sy57-3uez https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1304.json 38.0.0
2026-04-01T14:26:06.059182+00:00 RedHat Importer Affected by VCID-fzrt-143x-tqdd https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-8088.json 38.0.0
2026-04-01T14:26:00.325069+00:00 RedHat Importer Affected by VCID-x6g1-qw1v-jbas https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-7489.json 38.0.0