Product:

Jboss_fuse

(Redhat)
Repositories https://github.com/hawtio/hawtio
https://github.com/jboss-fuse/fuse
#Vulnerabilities 41
Date Id Summary Products Score Patch Annotated
2022-08-05 CVE-2022-2053 When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequestConduit implementation closes a connection without sending any response to the client/proxy. This behavior results in that a front-end proxy marking the backend worker (application server) as an error state and not forward requests to the worker for a while. In mod_cluster, this continues until the next STATUS request (10 seconds intervals) from the application... Integration_camel_k, Jboss_fuse, Undertow 7.5
2021-06-02 CVE-2020-14340 A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between garbage collection cycles. It may allow the attacker to cause a denial of service. It affects XNIO versions 3.6.0.Beta1 through 3.8.1.Final. Communications_cloud_native_core_console, Communications_cloud_native_core_network_repository_function, Communications_cloud_native_core_policy, Communications_cloud_native_core_security_edge_protection_proxy, Communications_cloud_native_core_service_communication_proxy, Communications_cloud_native_core_unified_data_repository, Jboss_brms, Jboss_data_grid, Jboss_data_virtualization, Jboss_enterprise_application_platform, Jboss_fuse, Jboss_operations_network, Jboss_soa_platform, Xnio 5.9
2020-01-23 CVE-2019-14888 A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can target the HTTPS port to carry out a Denial Of Service (DOS) to make the service unavailable on SSL. Active_iq_unified_manager, Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Single_sign\-On, Undertow 7.5
2019-10-02 CVE-2019-10212 A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files. Active_iq_unified_manager, Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Undertow 9.8
2020-03-16 CVE-2019-14887 A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuration isn't honored. An attacker could target the traffic sent from Wildfly and downgrade the connection to a weaker version of TLS, potentially breaking the encryption. This could lead to a leak of the data being passed over the network. Wildfly version 7.2.0.GA, 7.2.3.GA and 7.2.5.CR2 are believed to be vulnerable. Jboss_data_grid, Jboss_enterprise_application_platform, Jboss_fuse, Openshift_application_runtimes, Single_sign\-On, Wildfly 9.1
2020-01-08 CVE-2019-14820 It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. Jboss_enterprise_application_platform, Jboss_fuse, Keycloak, Single_sign\-On 4.3
2021-08-05 CVE-2021-3642 A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. Quarkus, Build_of_quarkus, Codeready_studio, Data_grid, Descision_manager, Integration_camel_k, Integration_camel_quarkus, Jboss_enterprise_application_platform, Jboss_enterprise_application_platform_expansion_pack, Jboss_fuse, Openshift_application_runtimes, Process_automation, Wildfly_elytron 5.3
2020-05-13 CVE-2020-1714 A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution. Quarkus, Decision_manager, Jboss_fuse, Keycloak, Openshift_application_runtimes, Process_automation, Single_sign\-On 8.8
2021-03-16 CVE-2021-20218 A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2 A\-Mq_online, Build_of_quarkus, Codeready_studio, Descision_manager, Integration_camel_k, Jboss_fuse, Kubernetes\-Client, Openshift_container_platform, Process_automation 7.4
2021-02-23 CVE-2020-27782 A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker using query strings with non-RFC compliant characters resulting in a denial of service. The highest threat from this vulnerability is to system availability. This affects Undertow 2.1.5.SP1, 2.0.33.SP2, and 2.2.3.SP1. Jboss_fuse, Openshift_application_runtimes, Undertow 7.5