Max CVSS | 7.5 | Min CVSS | 4.0 | Total Count | 2 |
ID | CVSS | Summary | Last (major) update | Published | |
CVE-2020-10673 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
|
03-07-2024 - 01:36 | 18-03-2020 - 22:15 | |
CVE-2020-10672 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
|
03-07-2024 - 01:36 | 18-03-2020 - 22:15 | |
CVE-2020-14297 | 4.0 |
A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take adva
|
29-12-2023 - 17:55 | 24-07-2020 - 16:15 | |
CVE-2020-9548 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
|
13-09-2023 - 14:57 | 02-03-2020 - 04:15 | |
CVE-2020-9547 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
|
13-09-2023 - 14:57 | 02-03-2020 - 04:15 | |
CVE-2020-8840 | 7.5 |
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
|
08-06-2023 - 17:54 | 10-02-2020 - 21:56 | |
CVE-2020-14307 | 4.0 |
A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as
|
12-02-2023 - 23:39 | 24-07-2020 - 16:15 | |
CVE-2020-10714 | 5.1 |
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to da
|
08-11-2022 - 13:58 | 23-09-2020 - 13:15 | |
CVE-2020-10683 | 7.5 |
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any a
|
25-07-2022 - 18:15 | 01-05-2020 - 19:15 | |
CVE-2020-6950 | 4.3 |
Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.
|
12-05-2022 - 14:06 | 02-06-2021 - 16:15 | |
CVE-2020-10693 | 5.0 |
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping
|
10-05-2022 - 15:46 | 06-05-2020 - 14:15 | |
CVE-2019-14900 | 4.0 |
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. Th
|
29-04-2022 - 17:08 | 06-07-2020 - 19:15 | |
CVE-2020-1748 | 5.0 |
A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to informat
|
28-04-2022 - 18:33 | 16-09-2020 - 16:15 | |
CVE-2020-11612 | 5.0 |
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free m
|
26-04-2022 - 17:05 | 07-04-2020 - 18:15 | |
CVE-2020-10687 | 5.8 |
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an
|
22-02-2022 - 10:05 | 23-09-2020 - 13:15 | |
CVE-2020-1695 | 5.0 |
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This fla
|
01-01-2022 - 17:33 | 19-05-2020 - 15:15 | |
CVE-2020-9546 | 6.8 |
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
|
02-12-2021 - 21:22 | 02-03-2020 - 04:15 | |
CVE-2020-10687 | 6.4 |
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an
|
30-09-2020 - 18:12 | 23-09-2020 - 13:15 | |
CVE-2020-10687 | 6.4 |
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an
|
30-09-2020 - 18:12 | 23-09-2020 - 13:15 | |
CVE-2020-10714 | 5.1 |
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to da
|
29-09-2020 - 18:10 | 23-09-2020 - 13:15 | |
CVE-2020-10714 | 5.1 |
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to da
|
29-09-2020 - 18:10 | 23-09-2020 - 13:15 | |
CVE-2020-1748 | 5.0 |
A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to informat
|
28-09-2020 - 18:19 | 16-09-2020 - 16:15 | |
CVE-2020-11612 | 7.5 |
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free m
|
25-09-2020 - 20:15 | 07-04-2020 - 18:15 | |
CVE-2020-1710 | 5.0 |
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
|
22-09-2020 - 20:20 | 16-09-2020 - 15:15 | |
CVE-2020-10718 | 5.0 |
A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manage
|
22-09-2020 - 18:52 | 16-09-2020 - 19:15 | |
CVE-2020-10740 | 6.0 |
A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.
|
10-07-2020 - 18:10 | 22-06-2020 - 18:15 |