Filtered by vendor Redhat Subscriptions
Filtered by product Jboss Enterprise Brms Platform Subscriptions
Total 206 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-1249 1 Redhat 15 Amq Broker, Amq Streams, Build Keycloak and 12 more 2024-12-23 7.4 High
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
CVE-2023-6717 1 Redhat 15 Amq Broker, Build Keycloak, Jboss Data Grid and 12 more 2024-12-23 6 Medium
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.
CVE-2024-1132 1 Redhat 13 Amq Broker, Build Keycloak, Jboss Data Grid and 10 more 2024-12-20 8.1 High
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain or conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field, and requires user interaction within the malicious URL.
CVE-2023-6291 1 Redhat 18 Build Keycloak, Enterprise Linux, Jboss Data Grid and 15 more 2024-12-13 7.1 High
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.
CVE-2023-5379 1 Redhat 10 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Bpms Platform and 7 more 2024-12-02 7.5 High
A flaw was found in Undertow. When an AJP request is sent that exceeds the max-header-size attribute in ajp-listener, JBoss EAP is marked in an error state by mod_cluster in httpd, causing JBoss EAP to close the TCP connection without returning an AJP response. This happens because mod_proxy_cluster marks the JBoss EAP instance as an error worker when the TCP connection is closed from the backend after sending the AJP request without receiving an AJP response, and stops forwarding. This issue could allow a malicious user could to repeatedly send requests that exceed the max-header-size, causing a Denial of Service (DoS).
CVE-2024-1459 1 Redhat 8 Jboss Data Grid, Jboss Enterprise Application Platform, Jboss Enterprise Bpms Platform and 5 more 2024-11-23 5.3 Medium
A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.
CVE-2023-3223 1 Redhat 20 Enterprise Linux, Integration, Jboss Data Grid and 17 more 2024-11-21 7.5 High
A flaw was found in undertow. Servlets annotated with @MultipartConfig may cause an OutOfMemoryError due to large multipart content. This may allow unauthorized users to cause remote Denial of Service (DoS) attack. If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.
CVE-2022-4245 2 Codehaus-plexus, Redhat 23 Plexus-utils, A Mq Clients, Amq Broker and 20 more 2024-11-21 4.3 Medium
A flaw was found in codehaus-plexus. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This issue means that text contained in the command string could be interpreted as XML and allow for XML injection.
CVE-2022-4244 2 Codehaus-plexus, Redhat 23 Plexus-utils, A Mq Clients, Amq Broker and 20 more 2024-11-21 7.5 High
A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.
CVE-2022-22965 6 Cisco, Oracle, Redhat and 3 more 45 Cx Cloud Agent, Commerce Platform, Communications Cloud Native Core Automated Test Suite and 42 more 2024-11-21 9.8 Critical
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CVE-2022-1415 1 Redhat 16 Camel Quarkus, Camel Spring Boot, Decision Manager and 13 more 2024-11-21 8.1 High
A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.
CVE-2021-42550 4 Netapp, Qos, Redhat and 1 more 9 Cloud Manager, Service Level Manager, Snap Creator Framework and 6 more 2024-11-21 6.6 Medium
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
CVE-2021-39154 6 Debian, Fedoraproject, Netapp and 3 more 21 Debian Linux, Fedora, Snapmanager and 18 more 2024-11-21 8.5 High
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39153 6 Debian, Fedoraproject, Netapp and 3 more 19 Debian Linux, Fedora, Snapmanager and 16 more 2024-11-21 8.5 High
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39152 6 Debian, Fedoraproject, Netapp and 3 more 21 Debian Linux, Fedora, Snapmanager and 18 more 2024-11-21 8.5 High
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
CVE-2021-39151 6 Debian, Fedoraproject, Netapp and 3 more 21 Debian Linux, Fedora, Snapmanager and 18 more 2024-11-21 8.5 High
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39150 6 Debian, Fedoraproject, Netapp and 3 more 21 Debian Linux, Fedora, Snapmanager and 18 more 2024-11-21 8.5 High
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
CVE-2021-39149 6 Debian, Fedoraproject, Netapp and 3 more 21 Debian Linux, Fedora, Snapmanager and 18 more 2024-11-21 8.5 High
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39148 6 Debian, Fedoraproject, Netapp and 3 more 21 Debian Linux, Fedora, Snapmanager and 18 more 2024-11-21 8.5 High
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CVE-2021-39147 6 Debian, Fedoraproject, Netapp and 3 more 21 Debian Linux, Fedora, Snapmanager and 18 more 2024-11-21 8.5 High
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.