The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of JBoss EAP by Red Hat

vulnerability announce CVE-2019-3888

Undertow: information disclosure via UndertowLogger.REQUEST_LOGGER.undertowRequestFailed

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via UndertowLogger.REQUEST_LOGGER.undertowRequestFailed of Undertow, in order to obtain sensitive information.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 11/06/2019.
Identifiers: CVE-2019-3888, RHSA-2019:1419-01, RHSA-2019:1420-01, RHSA-2019:1421-01, RHSA-2019:1424-01, RHSA-2019:1456-01, VIGILANCE-VUL-29492.

Description of the vulnerability

An attacker can bypass access restrictions to data via UndertowLogger.REQUEST_LOGGER.undertowRequestFailed of Undertow, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2019-3873

PicketLink: privilege escalation via xinclude Parameter URL Injection

Synthesis of the vulnerability

An attacker can bypass restrictions via xinclude Parameter URL Injection of PicketLink, in order to escalate his privileges.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 11/06/2019.
Identifiers: CVE-2019-3873, RHSA-2019:1419-01, RHSA-2019:1420-01, RHSA-2019:1421-01, RHSA-2019:1424-01, RHSA-2019:1456-01, VIGILANCE-VUL-29491.

Description of the vulnerability

An attacker can bypass restrictions via xinclude Parameter URL Injection of PicketLink, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2019-3872

PicketLink: Cross Site Scripting via SAMLRequest RelayState Parameter

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via SAMLRequest RelayState Parameter of PicketLink, in order to run JavaScript code in the context of the web site.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 11/06/2019.
Identifiers: CVE-2019-3872, RHSA-2019:1419-01, RHSA-2019:1420-01, RHSA-2019:1421-01, RHSA-2019:1424-01, RHSA-2019:1456-01, VIGILANCE-VUL-29490.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via SAMLRequest RelayState Parameter of PicketLink, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2019-3894

Red Hat JBoss Enterprise Application Platform, WildFly: privilege escalation via ElytronManagedThread

Synthesis of the vulnerability

An attacker can bypass restrictions via ElytronManagedThread of Red Hat JBoss Enterprise Application Platform, in order to escalate his privileges.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO, WildFly.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet server.
Creation date: 06/05/2019.
Identifiers: CVE-2019-3894, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-29228.

Description of the vulnerability

An attacker can bypass restrictions via ElytronManagedThread of Red Hat JBoss Enterprise Application Platform, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2019-3805

WildFly: privilege escalation via PID File

Synthesis of the vulnerability

An attacker can bypass restrictions via PID File of WildFly, in order to escalate his privileges.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO, WildFly.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, denial of service on server.
Provenance: user shell.
Creation date: 06/05/2019.
Identifiers: CVE-2019-3805, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-29227.

Description of the vulnerability

An attacker can bypass restrictions via PID File of WildFly, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-11307

jackson-databind: information disclosure via Default Typing

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Default Typing of jackson-databind, in order to obtain sensitive information.
Impacted products: Debian, Oracle Communications, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 04/03/2019.
Identifiers: cpujan2019, cpujul2019, CVE-2018-11307, DLA-1703-1, DSA-4452-1, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28642.

Description of the vulnerability

An attacker can bypass access restrictions to data via Default Typing of jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-14720

jackson-databind: external XML entity injection via JDK Classes

Synthesis of the vulnerability

An attacker can transmit malicious XML data via JDK Classes to jackson-databind, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Fusion Middleware, Tuxedo, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: 5048, cpuapr2019, cpujan2019, CVE-2018-14720, DLA-1703-1, DSA-4452-1, FEDORA-2019-df57551f6d, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28548.

Description of the vulnerability

An attacker can transmit malicious XML data via JDK Classes to jackson-databind, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2018-14721

jackson-databind: information disclosure via axis2-jaxws SSRF

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via axis2-jaxws SSRF of jackson-databind, in order to obtain sensitive information.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Fusion Middleware, Tuxedo, WebLogic, RHEL, JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: 5048, cpuapr2019, cpujan2019, CVE-2018-14721, DLA-1703-1, DSA-4452-1, FEDORA-2019-df57551f6d, RHSA-2019:0782-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28547.

Description of the vulnerability

An attacker can bypass access restrictions to data via axis2-jaxws SSRF of jackson-databind, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-14642

Undertow: information disclosure via ByteBuffer Flushing

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via ByteBuffer Flushing of Undertow, in order to obtain sensitive information.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 19/02/2019.
Identifiers: CVE-2018-14642, RHBUG-1628702, RHSA-2019:0362-01, RHSA-2019:0364-01, RHSA-2019:0365-01, RHSA-2019:0380-01, RHSA-2019:1106-01, RHSA-2019:1107-01, RHSA-2019:1108-01, RHSA-2019:1140-01, VIGILANCE-VUL-28539.

Description of the vulnerability

An attacker can bypass access restrictions to data via ByteBuffer Flushing of Undertow, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-10934

WildFly: Cross Site Scripting via JBoss Management Console

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via JBoss Management Console of WildFly, in order to run JavaScript code in the context of the web site.
Impacted products: JBoss EAP by Red Hat, Red Hat SSO, WildFly.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 19/02/2019.
Identifiers: CVE-2018-10934, RHBUG-1615673, RHSA-2019:0362-01, RHSA-2019:0364-01, RHSA-2019:0365-01, RHSA-2019:0380-01, RHSA-2019:1159-01, RHSA-2019:1160-01, RHSA-2019:1161-01, RHSA-2019:1162-01, VIGILANCE-VUL-28538.

Description of the vulnerability

The WildFly product offers a web service.

However, it does not filter received data via JBoss Management Console before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via JBoss Management Console of WildFly, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about JBoss EAP by Red Hat: