ReportizFlow
Filtered by vendor Redhat
Subscriptions
Filtered by product Jboss Fuse
Subscriptions
Total
570 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2014-1904 | 2 Pivotal Software, Redhat | 3 Spring Framework, Jboss Amq, Jboss Fuse | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action. | ||||
| CVE-2016-0782 | 2 Apache, Redhat | 3 Activemq, Jboss Amq, Jboss Fuse | 2025-04-12 | N/A |
| The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue. | ||||
| CVE-2016-9878 | 3 Pivotal Software, Redhat, Vmware | 4 Spring Framework, Jboss Amq, Jboss Fuse and 1 more | 2025-04-12 | N/A |
| An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks. | ||||
| CVE-2015-7940 | 4 Bouncycastle, Opensuse, Oracle and 1 more | 9 Bouncy Castle Crypto Package, Leap, Opensuse and 6 more | 2025-04-12 | N/A |
| The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack." | ||||
| CVE-2014-3584 | 2 Apache, Redhat | 2 Cxf, Jboss Fuse | 2025-04-12 | N/A |
| The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service. | ||||
| CVE-2015-0264 | 2 Apache, Redhat | 6 Camel, Jboss Amq, Jboss Bpms and 3 more | 2025-04-12 | N/A |
| Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an external entity in an invalid XML (1) String or (2) GenericFile object in an XPath query. | ||||
| CVE-2014-3623 | 2 Apache, Redhat | 8 Cxf, Wss4j, Jboss Amq and 5 more | 2025-04-12 | N/A |
| Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors. | ||||
| CVE-2013-7397 | 2 Async-http-client Project, Redhat | 5 Async-http-client, Jboss Bpms, Jboss Brms and 2 more | 2025-04-12 | N/A |
| Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location and a trustStore location are explicitly set, which allows man-in-the-middle attackers to spoof HTTPS servers by presenting an arbitrary certificate during use of a typical AHC configuration, as demonstrated by a configuration that does not send client certificates. | ||||
| CVE-2015-5254 | 3 Apache, Fedoraproject, Redhat | 5 Activemq, Fedora, Jboss Amq and 2 more | 2025-04-12 | N/A |
| Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object. | ||||
| CVE-2014-0193 | 2 Netty, Redhat | 10 Netty, Jboss Amq, Jboss Bpms and 7 more | 2025-04-12 | N/A |
| WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7.1, 3.8.x before 3.8.2, 3.9.x before 3.9.1, and 4.0.x before 4.0.19 allows remote attackers to cause a denial of service (memory consumption) via a TextWebSocketFrame followed by a long stream of ContinuationWebSocketFrames. | ||||
| CVE-2015-1796 | 2 Redhat, Shibboleth | 4 Jboss Amq, Jboss Fuse, Identity Provider and 1 more | 2025-04-12 | N/A |
| The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. | ||||
| CVE-2016-2510 | 4 Beanshell, Canonical, Debian and 1 more | 8 Beanshell, Ubuntu Linux, Debian Linux and 5 more | 2025-04-12 | 8.1 High |
| BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler. | ||||
| CVE-2014-0002 | 2 Apache, Redhat | 9 Camel, Fuse Esb Enterprise, Fuse Management Console and 6 more | 2025-04-12 | N/A |
| The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | ||||
| CVE-2015-5253 | 2 Apache, Redhat | 2 Cxf, Jboss Fuse | 2025-04-12 | N/A |
| The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid signed assertion, related to a "wrapping attack." | ||||
| CVE-2015-3253 | 3 Apache, Oracle, Redhat | 14 Groovy, Health Sciences Clinical Development Center, Retail Order Broker Cloud Service and 11 more | 2025-04-12 | N/A |
| The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. | ||||
| CVE-2015-5348 | 2 Apache, Redhat | 2 Camel, Jboss Fuse | 2025-04-12 | N/A |
| Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. | ||||
| CVE-2014-0034 | 2 Apache, Redhat | 7 Cxf, Jboss Amq, Jboss Bpms and 4 more | 2025-04-12 | N/A |
| The SecurityTokenService (STS) in Apache CXF before 2.6.12 and 2.7.x before 2.7.9 does not properly validate SAML tokens when caching is enabled, which allows remote attackers to gain access via an invalid SAML token. | ||||
| CVE-2014-0364 | 2 Igniterealtime, Redhat | 4 Smack, Jboss Bpms, Jboss Brms and 1 more | 2025-04-12 | N/A |
| The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute. | ||||
| CVE-2014-0074 | 2 Apache, Redhat | 6 Shiro, Fuse Esb Enterprise, Fuse Management Console and 3 more | 2025-04-12 | N/A |
| Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password. | ||||
| CVE-2015-5344 | 2 Apache, Redhat | 2 Camel, Jboss Fuse | 2025-04-12 | N/A |
| The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. | ||||