The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of JBoss EAP by Red Hat

vulnerability announce CVE-2019-3888

Undertow: information disclosure via UndertowLogger.REQUEST_LOGGER.undertowRequestFailed

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via UndertowLogger.REQUEST_LOGGER.undertowRequestFailed of Undertow, in order to obtain sensitive information.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 11/06/2019.
Identifiers: CVE-2019-3888, RHSA-2019:1419-01, RHSA-2019:1420-01, RHSA-2019:1421-01, RHSA-2019:1424-01, RHSA-2019:1456-01, VIGILANCE-VUL-29492.

Description of the vulnerability

An attacker can bypass access restrictions to data via UndertowLogger.REQUEST_LOGGER.undertowRequestFailed of Undertow, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2019-3894

Red Hat JBoss Enterprise Application Platform, WildFly: privilege escalation via ElytronManagedThread

Synthesis of the vulnerability

An attacker can bypass restrictions via ElytronManagedThread of Red Hat JBoss Enterprise Application Platform, in order to escalate his privileges.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO, WildFly.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet server.
Creation date: 06/05/2019.
Identifiers: CVE-2019-3894, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-29228.

Description of the vulnerability

An attacker can bypass restrictions via ElytronManagedThread of Red Hat JBoss Enterprise Application Platform, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2019-3805

WildFly: privilege escalation via PID File

Synthesis of the vulnerability

An attacker can bypass restrictions via PID File of WildFly, in order to escalate his privileges.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO, WildFly.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server.
Provenance: user shell.
Creation date: 06/05/2019.
Identifiers: CVE-2019-3805, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-29227.

Description of the vulnerability

An attacker can bypass restrictions via PID File of WildFly, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-11307

jackson-databind: information disclosure via Default Typing

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Default Typing of jackson-databind, in order to obtain sensitive information.
Impacted products: Debian, Oracle Communications, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 04/03/2019.
Identifiers: cpujan2019, cpujul2019, CVE-2018-11307, DLA-1703-1, DSA-4452-1, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28642.

Description of the vulnerability

An attacker can bypass access restrictions to data via Default Typing of jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-14720

jackson-databind: external XML entity injection via JDK Classes

Synthesis of the vulnerability

An attacker can transmit malicious XML data via JDK Classes to jackson-databind, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Fusion Middleware, Tuxedo, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: cpuapr2019, cpujan2019, CVE-2018-14720, DLA-1703-1, DSA-4452-1, FEDORA-2019-df57551f6d, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28548.

Description of the vulnerability

An attacker can transmit malicious XML data via JDK Classes to jackson-databind, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-14721

jackson-databind: information disclosure via axis2-jaxws SSRF

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via axis2-jaxws SSRF of jackson-databind, in order to obtain sensitive information.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Fusion Middleware, Tuxedo, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: cpuapr2019, cpujan2019, CVE-2018-14721, DLA-1703-1, DSA-4452-1, FEDORA-2019-df57551f6d, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28547.

Description of the vulnerability

An attacker can bypass access restrictions to data via axis2-jaxws SSRF of jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-14642

Undertow: information disclosure via ByteBuffer Flushing

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via ByteBuffer Flushing of Undertow, in order to obtain sensitive information.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 19/02/2019.
Identifiers: CVE-2018-14642, RHBUG-1628702, RHSA-2019:0362-01, RHSA-2019:0364-01, RHSA-2019:0365-01, RHSA-2019:0380-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28539.

Description of the vulnerability

An attacker can bypass access restrictions to data via ByteBuffer Flushing of Undertow, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-10934

WildFly: Cross Site Scripting via JBoss Management Console

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via JBoss Management Console of WildFly, in order to run JavaScript code in the context of the web site.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO, WildFly.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: CVE-2018-10934, RHBUG-1615673, RHSA-2019:0362-01, RHSA-2019:0364-01, RHSA-2019:0365-01, RHSA-2019:0380-01, RHSA-2019:1159-01, RHSA-2019:1160-01, RHSA-2019:1161-01, RHSA-2019:1162-01, VIGILANCE-VUL-28538.

Description of the vulnerability

The WildFly product offers a web service.

However, it does not filter received data via JBoss Management Console before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via JBoss Management Console of WildFly, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-14667

RichFaces Framework: code execution via UserResource Expression Language Injection

Synthesis of the vulnerability

An attacker can use a vulnerability via UserResource Expression Language Injection of RichFaces Framework, in order to run code.
Impacted products: JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 07/11/2018.
Identifiers: CVE-2018-14667, RHSA-2018:3517-01, RHSA-2018:3518-01, RHSA-2018:3581-01, VIGILANCE-VUL-27707.

Description of the vulnerability

An attacker can use a vulnerability via UserResource Expression Language Injection of RichFaces Framework, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-1000632

dom4j: external XML entity injection via XML Injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data via XML Injection to dom4j, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Debian, Snap Creator Framework, SnapManager, openSUSE Leap, JBoss EAP by Red Hat, Red Hat SSO, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 25/09/2018.
Identifiers: CVE-2018-1000632, DLA-1517-1, NTAP-20190530-0001, openSUSE-SU-2018:2931-1, openSUSE-SU-2018:3998-1, openSUSE-SU-2018:4045-1, RHSA-2019:0362-01, RHSA-2019:0364-01, RHSA-2019:0365-01, RHSA-2019:0380-01, RHSA-2019:1159-01, RHSA-2019:1160-01, RHSA-2019:1161-01, RHSA-2019:1162-01, SUSE-SU-2018:3424-1, SUSE-SU-2018:3908-1, VIGILANCE-VUL-27312.

Description of the vulnerability

An attacker can transmit malicious XML data via XML Injection to dom4j, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about JBoss EAP by Red Hat: