Filtered by vendor Redhat Subscriptions
Filtered by product Openshift Application Runtimes Subscriptions
Total 214 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2018-12537 2 Eclipse, Redhat 3 Vert.x, Jboss Fuse, Openshift Application Runtimes 2024-11-21 N/A
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
CVE-2018-12115 2 Nodejs, Redhat 5 Node.js, Openshift, Openshift Application Runtimes and 2 more 2024-11-21 N/A
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the maximum length of the input bytes to be written.
CVE-2018-12023 5 Debian, Fasterxml, Fedoraproject and 2 more 20 Debian Linux, Jackson-databind, Fedora and 17 more 2024-11-21 N/A
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2018-12022 5 Debian, Fasterxml, Fedoraproject and 2 more 20 Debian Linux, Jackson-databind, Fedora and 17 more 2024-11-21 7.5 High
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
CVE-2018-11307 3 Fasterxml, Oracle, Redhat 18 Jackson-databind, Clusterware, Communications Instant Messaging Server and 15 more 2024-11-21 9.8 Critical
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
CVE-2018-10912 1 Redhat 4 Jboss Single Sign On, Keycloak, Openshift Application Runtimes and 1 more 2024-11-21 4.9 Medium
keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple nodes could mishandle an expired session replacement and lead to an infinite loop. A malicious authenticated user could use this flaw to achieve Denial of Service on the server.
CVE-2018-10894 1 Redhat 6 Enterprise Linux, Jboss Single Sign On, Keycloak and 3 more 2024-11-21 N/A
It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.
CVE-2018-10862 1 Redhat 8 Enterprise Linux, Jboss Data Grid, Jboss Enterprise Application Platform and 5 more 2024-11-21 N/A
WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. This is an instance of the 'Zip Slip' vulnerability.
CVE-2018-1000180 5 Bouncycastle, Debian, Netapp and 2 more 24 Fips Java Api, Legion-of-the-bouncy-castle-java-crytography-api, Debian Linux and 21 more 2024-11-21 N/A
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
CVE-2018-0732 5 Canonical, Debian, Nodejs and 2 more 7 Ubuntu Linux, Debian Linux, Node.js and 4 more 2024-11-21 7.5 High
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).
CVE-2017-5656 2 Apache, Redhat 4 Cxf, Jboss Amq, Jboss Fuse and 1 more 2024-11-21 N/A
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
CVE-2017-18640 5 Fedoraproject, Oracle, Quarkus and 2 more 8 Fedora, Peoplesoft Enterprise Pt Peopletools, Quarkus and 5 more 2024-11-21 7.5 High
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
CVE-2023-6841 1 Redhat 7 Jboss Enterprise Bpms Platform, Jboss Fuse, Keycloak and 4 more 2024-11-15 7.5 High
A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.
CVE-2023-1932 1 Redhat 20 A Mq Clients, Amq Broker, Amq Online and 17 more 2024-11-08 6.1 Medium
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.