Filtered by vendor Redhat Subscriptions
Filtered by product Jboss Data Grid Subscriptions
Total 227 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-9546 5 Debian, Fasterxml, Netapp and 2 more 41 Debian Linux, Jackson-databind, Active Iq Unified Manager and 38 more 2024-11-21 9.8 Critical
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
CVE-2020-9488 5 Apache, Debian, Oracle and 2 more 53 Log4j, Debian Linux, Communications Application Session Controller and 50 more 2024-11-21 3.7 Low
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
CVE-2020-8840 6 Debian, Fasterxml, Huawei and 3 more 19 Debian Linux, Jackson-databind, Oceanstor 9000 and 16 more 2024-11-21 9.8 Critical
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
CVE-2020-7238 4 Debian, Fedoraproject, Netty and 1 more 20 Debian Linux, Fedora, Netty and 17 more 2024-11-21 7.5 High
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
CVE-2020-36518 5 Debian, Fasterxml, Netapp and 2 more 48 Debian Linux, Jackson-databind, Active Iq Unified Manager and 45 more 2024-11-21 7.5 High
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
CVE-2020-26259 4 Debian, Fedoraproject, Redhat and 1 more 9 Debian Linux, Fedora, Camel Quarkus and 6 more 2024-11-21 6.8 Medium
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
CVE-2020-26258 4 Debian, Fedoraproject, Redhat and 1 more 9 Debian Linux, Fedora, Camel Quarkus and 6 more 2024-11-21 7.7 High
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
CVE-2020-26217 6 Apache, Debian, Netapp and 3 more 23 Activemq, Debian Linux, Snapmanager and 20 more 2024-11-21 8 High
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
CVE-2020-25711 3 Infinispan, Netapp, Redhat 4 Infinispan, Active Iq Unified Manager, Data Grid and 1 more 2024-11-21 6.5 Medium
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.
CVE-2020-25689 2 Netapp, Redhat 11 Active Iq Unified Manager, Oncommand Insight, Service Level Manager and 8 more 2024-11-21 5.3 Medium
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-25649 7 Apache, Fasterxml, Fedoraproject and 4 more 50 Iotdb, Jackson-databind, Fedora and 47 more 2024-11-21 7.5 High
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CVE-2020-25644 2 Netapp, Redhat 11 Oncommand Insight, Oncommand Workflow Automation, Service Level Manager and 8 more 2024-11-21 7.5 High
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-1757 1 Redhat 8 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 5 more 2024-11-21 8.1 High
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions prior to undertow-2.1.0.Final, where the Servlet container causes servletPath to normalize incorrectly by truncating the path after semicolon which may lead to an application mapping resulting in the security bypass.
CVE-2020-1748 1 Redhat 9 Decision Manager, Jboss Data Grid, Jboss Enterprise Application Platform and 6 more 2024-11-21 7.5 High
A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure resources.
CVE-2020-1745 1 Redhat 8 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd and 5 more 2024-11-21 8.6 High
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
CVE-2020-1719 1 Redhat 7 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Cd and 4 more 2024-11-21 5.4 Medium
A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected.
CVE-2020-1710 1 Redhat 6 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus and 3 more 2024-11-21 5.3 Medium
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
CVE-2020-1695 2 Fedoraproject, Redhat 9 Fedora, Enterprise Linux, Jboss Data Grid and 6 more 2024-11-21 7.5 High
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
CVE-2020-14340 2 Oracle, Redhat 16 Communications Cloud Native Core Console, Communications Cloud Native Core Network Repository Function, Communications Cloud Native Core Policy and 13 more 2024-11-21 5.9 Medium
A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final.
CVE-2020-11620 5 Debian, Fasterxml, Netapp and 2 more 26 Debian Linux, Jackson-databind, Active Iq Unified Manager and 23 more 2024-11-21 8.1 High
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).