Export limit exceeded: 357784 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (105 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2013-2192 | 2 Apache, Redhat | 4 Hadoop, Jboss Amq, Jboss Fuse and 1 more | 2025-04-11 | N/A |
| The RPC protocol implementation in Apache Hadoop 2.x before 2.0.6-alpha, 0.23.x before 0.23.9, and 1.x before 1.2.1, when the Kerberos security features are enabled, allows man-in-the-middle attackers to disable bidirectional authentication and obtain sensitive information by forcing a downgrade to simple authentication. | ||||
| CVE-2013-6429 | 3 Pivotal Software, Redhat, Vmware | 4 Spring Framework, Jboss Amq, Jboss Fuse and 1 more | 2025-04-11 | N/A |
| The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315. | ||||
| CVE-2013-4372 | 1 Redhat | 6 Fuse Esb Enterprise, Fuse Management Console, Fuse Mq Enterprise and 3 more | 2025-04-11 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Fuse Management Console in Red Hat JBoss Fuse 6.0.0 before patch 3 and JBoss A-MQ 6.0.0 before patch 3 allow remote attackers to inject arbitrary web script or HTML via the (1) user field in the create user page or (2) profile version to the create profile page. | ||||
| CVE-2013-4221 | 2 Redhat, Restlet | 6 Fuse Esb Enterprise, Fuse Management Console, Fuse Mq Enterprise and 3 more | 2025-04-11 | N/A |
| The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML. | ||||
| CVE-2012-5783 | 3 Apache, Canonical, Redhat | 12 Httpclient, Ubuntu Linux, Enterprise Linux and 9 more | 2025-04-11 | N/A |
| Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | ||||
| CVE-2020-13933 | 3 Apache, Debian, Redhat | 4 Shiro, Debian Linux, Jboss Amq and 1 more | 2024-11-21 | 7.5 High |
| Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass. | ||||
| CVE-2019-9827 | 2 Hawt, Redhat | 4 Hawtio, Amq Broker, Jboss Amq and 1 more | 2024-11-21 | N/A |
| Hawt Hawtio through 2.5.0 is vulnerable to SSRF, allowing a remote attacker to trigger an HTTP request from an affected server to an arbitrary host via the initial /proxy/ substring of a URI. | ||||
| CVE-2019-20445 | 6 Apache, Canonical, Debian and 3 more | 20 Spark, Ubuntu Linux, Debian Linux and 17 more | 2024-11-21 | 9.1 Critical |
| HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header. | ||||
| CVE-2019-0223 | 2 Apache, Redhat | 17 Qpid, A Mq Clients, Cloudforms Managementengine and 14 more | 2024-11-21 | 7.4 High |
| While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic. | ||||
| CVE-2019-0201 | 5 Apache, Debian, Netapp and 2 more | 14 Activemq, Drill, Zookeeper and 11 more | 2024-11-21 | 5.9 Medium |
| An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users. | ||||
| CVE-2018-9159 | 2 Redhat, Sparkjava | 3 Jboss Amq, Jboss Fuse, Spark | 2024-11-21 | N/A |
| In Spark before 2.7.2, a remote attacker can read unintended static files via various representations of absolute or relative pathnames, as demonstrated by file: URLs and directory traversal sequences. NOTE: this product is unrelated to Ignite Realtime Spark. | ||||
| CVE-2018-8039 | 2 Apache, Redhat | 6 Cxf, Enterprise Linux, Jboss Amq and 3 more | 2024-11-21 | N/A |
| It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks. | ||||
| CVE-2018-10899 | 2 Jolokia, Redhat | 4 Jolokia, Jboss Amq, Jboss Fuse and 1 more | 2024-11-21 | N/A |
| A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack. | ||||
| CVE-2018-1000129 | 2 Jolokia, Redhat | 3 Jolokia, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| An XSS vulnerability exists in the Jolokia agent version 1.3.7 in the HTTP servlet that allows an attacker to execute malicious javascript in the victim's browser. | ||||
| CVE-2017-7559 | 1 Redhat | 4 Jboss Amq, Jboss Enterprise Application Platform, Jboss Fuse and 1 more | 2024-11-21 | N/A |
| In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1.3.x before 1.3.31.Final, it was found that the fix for CVE-2017-2666 was incomplete and invalid characters are still allowed in the query string and path parameters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other than their own. | ||||
| CVE-2017-7536 | 1 Redhat | 9 Enterprise Linux, Hibernate Validator, Jboss Amq and 6 more | 2024-11-21 | 7.0 High |
| In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue(). | ||||
| CVE-2017-2594 | 2 Hawt, Redhat | 3 Hawtio, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, and 1.5 is vulnerable to a path traversal that leads to a NullPointerException with a full stacktrace. An attacker could use this flaw to gather undisclosed information from within hawtio's root. | ||||
| CVE-2017-2589 | 2 Hawt, Redhat | 3 Hawtio, Jboss Amq, Jboss Fuse | 2024-11-21 | N/A |
| It was discovered that the hawtio servlet 1.4 uses a single HttpClient instance to proxy requests with a persistent cookie store (cookies are stored locally and are not passed between the client and the end URL) which means all clients using that proxy are sharing the same cookies. | ||||
| CVE-2017-12165 | 1 Redhat | 4 Jboss Amq, Jboss Enterprise Application Platform, Jboss Fuse and 1 more | 2024-11-21 | N/A |
| It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 processes http request headers with unusual whitespaces which can cause possible http request smuggling. | ||||
| CVE-2017-1000487 | 3 Codehaus-plexus, Debian, Redhat | 4 Plexus-utils, Debian Linux, Jboss Amq and 1 more | 2024-11-21 | 9.8 Critical |
| Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings. | ||||