Home/Product/redhat jboss fuse
Product

redhat jboss fuse

42 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2024-7885
all versions
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple r
7.5HIGH
 CVE-2023-44487
all versions
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q
7.5HIGH
 CVE-2022-4492
all versions
The undertow client is not checking the server identity presented by the server certificate in https connections. This is a compul
7.5HIGH
 CVE-2022-2764
all versions
A flaw was found in Undertow. Denial of service can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invoca
4.9MEDIUM
 CVE-2022-2053
all versions
When a POST request comes through AJP and the request exceeds the max-post-size limit (maxEntitySize), Undertow's AjpServerRequest
7.5HIGH
 CVE-2021-4104
all versions
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j config
7.5HIGH
 CVE-2021-3642
all versions
A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where Scra
5.3MEDIUM
 CVE-2020-14340
all versions
A vulnerability was discovered in XNIO where file descriptor leak caused by growing amounts of NIO Selector file handles between g
5.9MEDIUM
 CVE-2021-20218
all versions
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause
7.4HIGH
 CVE-2020-27782
all versions
A flaw was found in the Undertow AJP connector. Malicious requests and abrupt connection closes could be triggered by an attacker
7.5HIGH
 CVE-2020-1717
all versions
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.
2.7LOW
 CVE-2020-10734
all versions
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped wit
3.3LOW
 CVE-2020-25689
all versions
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, ge
5.3MEDIUM
 CVE-2020-25644
all versions
A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow t
7.5HIGH
 CVE-2020-10714
all versions
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session
7.5HIGH
 CVE-2020-10718
all versions
A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of
7.5HIGH
 CVE-2020-14307
all versions
A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInv
6.5MEDIUM
 CVE-2020-14297
all versions
A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may
6.5MEDIUM
 CVE-2020-1714
all versions
A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks.
8.8HIGH
 CVE-2020-1718
all versions
A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthor
7.1HIGH
 CVE-2020-1757
all versions
A flaw was found in all undertow-2.x.x SP1 versions prior to undertow-2.0.30.SP1, all undertow-1.x.x and undertow-2.x.x versions p
8.1HIGH
 CVE-2019-14887
all versions
A flaw was found when an OpenSSL security provider is used with Wildfly, the 'enabled-protocols' value in the Wildfly configuratio
9.1CRITICAL
 CVE-2019-14892
all versions
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deser
9.8CRITICAL
 CVE-2019-14888
all versions
A vulnerability was found in the Undertow HTTP server in versions before 2.0.28.SP1 when listening on HTTPS. An attacker can targe
7.5HIGH
 CVE-2019-14820
all versions
It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, whi
4.3MEDIUM
 CVE-2016-1000229
all versions
swagger-ui has XSS in key names
6.1MEDIUM
 CVE-2019-10172
all versions
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-
7.5HIGH
 CVE-2019-10212
>= 7.0.0 and <= 7.4
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could a
9.8CRITICAL
 CVE-2015-7559
all versions
It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An a
2.7LOW
 CVE-2016-8653
all versions
It was found that the JMX endpoint of Red Hat JBoss Fuse 6, and Red Hat A-MQ 6 deserializes the credentials passed to it. An attac
5.3MEDIUM
 CVE-2016-8648
all versions
It was found that the Karaf container used by Red Hat JBoss Fuse 6.x, and Red Hat JBoss A-MQ 6.x, deserializes objects passed to M
7.2HIGH
 CVE-2017-2589
all versions
It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (
8.7HIGH
 CVE-2017-12196
all versions
undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was found vulnerable when using Digest authentication, the server d
4.8MEDIUM
 CVE-2014-0121
all versions
The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the
9.8CRITICAL
 CVE-2014-0120
all versions
Cross-site request forgery (CSRF) vulnerability in the admin terminal in Hawt.io allows remote attackers to hijack the authenticat
8.8HIGH
 CVE-2015-7501
all versions
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterp
9.8CRITICAL
 CVE-2014-8175
<= 6.1.0
Red Hat JBoss Fuse before 6.2.0 allows remote authenticated users to bypass intended restrictions and access the HawtIO console by
 CVE-2013-7398
<= 6.1.0
main/java/com/ning/http/client/AsyncHttpClientConfig.java in Async Http Client (aka AHC or async-http-client) before 1.9.0 does no
 CVE-2013-7397
<= 6.1.0
Async Http Client (aka AHC or async-http-client) before 1.9.0 skips X.509 certificate verification unless both a keyStore location
 CVE-2014-5075
<= 6.1.0
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the se
 CVE-2014-0085
all versions
JBoss Fuse did not enable encrypted passwords by default in its usage of Apache Zookeeper. This permitted sensitive information di
 CVE-2013-4372
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBos
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin