Filtered by vendor Redhat
Subscriptions
Filtered by product Jbosseapxp
Subscriptions
Total
71 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-2240 | 1 Redhat | 9 Apache Camel Spring Boot, Apicurio Registry, Camel Quarkus and 6 more | 2025-11-14 | 7.5 High |
| A flaw was found in Smallrye, where smallrye-fault-tolerance is vulnerable to an out-of-memory (OOM) issue. This vulnerability is externally triggered when calling the metrics URI. Every call creates a new object within meterMap and may lead to a denial of service (DoS) issue. | ||||
| CVE-2024-11831 | 1 Redhat | 34 Acm, Advanced Cluster Security, Ansible Automation Platform and 31 more | 2025-11-13 | 5.4 Medium |
| A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package. | ||||
| CVE-2025-9784 | 1 Redhat | 15 Apache Camel Hawtio, Build Of Apache Camel For Spring Boot, Camel Spring Boot and 12 more | 2025-11-12 | 7.5 High |
| A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS). | ||||
| CVE-2025-2251 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jbosseapxp | 2025-11-11 | 6.2 Medium |
| A security flaw exists in WildFly and JBoss Enterprise Application Platform (EAP) within the Enterprise JavaBeans (EJB) remote invocation mechanism. This vulnerability stems from untrusted data deserialization handled by JBoss Marshalling. This flaw allows an attacker to send a specially crafted serialized object, leading to remote code execution without requiring authentication. | ||||
| CVE-2024-10492 | 1 Redhat | 4 Build Keycloak, Jboss Enterprise Application Platform, Jbosseapxp and 1 more | 2025-11-11 | N/A |
| A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not. | ||||
| CVE-2024-4029 | 1 Redhat | 7 Build Keycloak, Jboss Data Grid, Jboss Enterprise Application Platform and 4 more | 2025-11-11 | 4.1 Medium |
| A vulnerability was found in Wildfly’s management interface. Due to the lack of limitation of sockets for the management interface, it may be possible to cause a denial of service hitting the nofile limit as there is no possibility to configure or set a maximum number of connections. | ||||
| CVE-2024-12397 | 1 Redhat | 13 Amq Streams, Apache Camel Hawtio, Build Keycloak and 10 more | 2025-11-11 | 7.4 High |
| A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie values or spoof arbitrary additional cookie values, leading to unauthorized data access or modification. The main threat from this flaw impacts data confidentiality and integrity. | ||||
| CVE-2024-10270 | 1 Redhat | 4 Build Keycloak, Jboss Enterprise Application Platform, Jbosseapxp and 1 more | 2025-11-11 | 6.5 Medium |
| A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. | ||||
| CVE-2024-10234 | 1 Redhat | 8 Build Keycloak, Build Of Keycloak, Jboss Data Grid and 5 more | 2025-11-11 | 6.1 Medium |
| A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. This flaw allows an attacker or insider to execute a deployment with a malicious payload, which could trigger undesired behavior against the server. | ||||
| CVE-2024-1102 | 2 Jberet, Redhat | 7 Jberet, Build Keycloak, Jboss Data Grid and 4 more | 2025-11-11 | 6.5 Medium |
| A vulnerability was found in jberet-core logging. An exception in 'dbProperties' might display user credentials such as the username and password for the database-connection. | ||||
| CVE-2024-8447 | 1 Redhat | 3 Jboss Data Grid, Jboss Enterprise Application Platform, Jbosseapxp | 2025-11-11 | 5.9 Medium |
| A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service. | ||||
| CVE-2025-7784 | 1 Redhat | 5 Build Keycloak, Build Of Keycloak, Jboss Enterprise Application Platform and 2 more | 2025-11-07 | 6.5 Medium |
| A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. | ||||
| CVE-2024-7885 | 1 Redhat | 21 Apache Camel Hawtio, Apache Camel Spring Boot, Build Keycloak and 18 more | 2025-11-07 | 7.5 High |
| A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to information leakage between requests or responses. In some cases, a value from a previous request or response may be erroneously reused, which could lead to unintended data exposure. This issue primarily results in errors and connection termination but creates a risk of data leakage in multi-request environments. | ||||
| CVE-2024-6162 | 1 Redhat | 11 Apache Camel Hawtio, Apache Camel Spring Boot, Build Keycloak and 8 more | 2025-11-07 | 7.5 High |
| A vulnerability was found in Undertow, where URL-encoded request paths can be mishandled during concurrent requests on the AJP listener. This issue arises because the same buffer is used to decode the paths for multiple requests simultaneously, leading to incorrect path information being processed. As a result, the server may attempt to access the wrong path, causing errors such as "404 Not Found" or other application failures. This flaw can potentially lead to a denial of service, as legitimate resources become inaccessible due to the path mix-up. | ||||
| CVE-2024-1233 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus, Jbosseapxp | 2025-11-07 | 7.3 High |
| A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability. | ||||
| CVE-2024-5971 | 1 Redhat | 12 Apache Camel Hawtio, Apache Camel Spring Boot, Build Keycloak and 9 more | 2025-11-07 | 7.5 High |
| A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios. | ||||
| CVE-2023-6717 | 1 Redhat | 15 Amq Broker, Build Keycloak, Jboss Data Grid and 12 more | 2025-11-07 | 6 Medium |
| A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance. | ||||
| CVE-2023-5236 | 2 Infinispan, Redhat | 12 Infinispan, Camel Quarkus, Camel Spring Boot and 9 more | 2025-11-07 | 4.4 Medium |
| A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service. | ||||
| CVE-2023-5685 | 1 Redhat | 12 Apache-camel-spring-boot, Apache Camel Hawtio, Build Keycloak and 9 more | 2025-11-07 | 7.5 High |
| A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS). | ||||
| CVE-2024-3653 | 1 Redhat | 17 Amq Streams, Apache Camel Hawtio, Build Keycloak and 14 more | 2025-11-07 | 5.3 Medium |
| A vulnerability was found in Undertow. This issue requires enabling the learning-push handler in the server's config, which is disabled by default, leaving the maxAge config in the handler unconfigured. The default is -1, which makes the handler vulnerable. If someone overwrites that config, the server is not subject to the attack. The attacker needs to be able to reach the server with a normal HTTP request. | ||||