Vulnerabilities (CVE)

Filtered by vendor Redhat Subscribe
Filtered by product Fuse
Total 19 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-4437 2 Apache, Redhat 4 Aurora, Shiro, Fuse and 1 more 2024-07-24 6.8 MEDIUM 9.8 CRITICAL
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
CVE-2017-12617 6 Apache, Canonical, Debian and 3 more 58 Tomcat, Ubuntu Linux, Debian Linux and 55 more 2024-07-16 6.8 MEDIUM 8.1 HIGH
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2015-1427 2 Elastic, Redhat 2 Elasticsearch, Fuse 2024-07-16 7.5 HIGH 9.8 CRITICAL
The Groovy scripting engine in Elasticsearch before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to bypass the sandbox protection mechanism and execute arbitrary shell commands via a crafted script.
CVE-2023-1108 2 Netapp, Redhat 17 Oncommand Workflow Automation, Build Of Quarkus, Decision Manager and 14 more 2024-05-03 N/A 7.5 HIGH
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.
CVE-2021-3690 1 Redhat 8 Enterprise Linux, Fuse, Integration Camel K and 5 more 2024-02-04 N/A 7.5 HIGH
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
CVE-2021-3597 2 Netapp, Redhat 9 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 6 more 2024-02-04 2.6 LOW 5.9 MEDIUM
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
CVE-2020-10688 1 Redhat 5 Enterprise Linux, Fuse, Jboss Enterprise Application Platform and 2 more 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
CVE-2020-25689 2 Netapp, Redhat 10 Active Iq Unified Manager, Oncommand Insight, Service Level Manager and 7 more 2024-02-04 6.8 MEDIUM 6.5 MEDIUM
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of memory (OOM) issue, leading to a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2019-14900 3 Hibernate, Quarkus, Redhat 11 Hibernate Orm, Quarkus, Build Of Quarkus and 8 more 2024-02-04 4.0 MEDIUM 6.5 MEDIUM
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CVE-2020-10719 2 Netapp, Redhat 9 Active Iq Unified Manager, Oncommand Insight, Oncommand Workflow Automation and 6 more 2024-02-04 6.4 MEDIUM 6.5 MEDIUM
A flaw was found in Undertow in versions before 2.1.1.Final, regarding the processing of invalid HTTP requests with large chunk sizes. This flaw allows an attacker to take advantage of HTTP request smuggling.
CVE-2019-10174 3 Infinispan, Netapp, Redhat 8 Infinispan, Active Iq Unified Manager, Enterprise Linux and 5 more 2024-02-04 6.5 MEDIUM 8.8 HIGH
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.
CVE-2019-10219 3 Netapp, Oracle, Redhat 195 Active Iq Unified Manager, Element, Management Services For Element Software And Netapp Hci and 192 more 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CVE-2019-14860 1 Redhat 2 Fuse, Syndesis 2024-02-04 4.3 MEDIUM 6.5 MEDIUM
It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information.
CVE-2019-0204 2 Apache, Redhat 2 Mesos, Fuse 2024-02-04 9.3 HIGH 7.8 HIGH
A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.
CVE-2019-0201 5 Apache, Debian, Netapp and 2 more 11 Activemq, Drill, Zookeeper and 8 more 2024-02-04 4.3 MEDIUM 5.9 MEDIUM
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
CVE-2018-1258 5 Netapp, Oracle, Pivotal Software and 2 more 42 Oncommand Insight, Oncommand Unified Manager, Oncommand Workflow Automation and 39 more 2024-02-04 6.5 MEDIUM 8.8 HIGH
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CVE-2018-1270 4 Debian, Oracle, Redhat and 1 more 28 Debian Linux, Application Testing Suite, Big Data Discovery and 25 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CVE-2018-1199 3 Oracle, Redhat, Vmware 5 Rapid Planning, Retail Xstore Point Of Service, Fuse and 2 more 2024-02-04 5.0 MEDIUM 5.3 MEDIUM
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
CVE-2017-5645 4 Apache, Netapp, Oracle and 1 more 79 Log4j, Oncommand Api Services, Oncommand Insight and 76 more 2024-02-04 7.5 HIGH 9.8 CRITICAL
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.