Max CVSS 7.5 Min CVSS 4.0 Total Count2
IDCVSSSummaryLast (major) updatePublished
CVE-2020-10683 7.5
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any a
25-07-2022 - 18:15 01-05-2020 - 19:15
CVE-2020-6950 4.3
Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.
12-05-2022 - 14:06 02-06-2021 - 16:15
CVE-2020-10693 5.0
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping
10-05-2022 - 15:46 06-05-2020 - 14:15
CVE-2019-14900 4.0
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. Th
29-04-2022 - 17:08 06-07-2020 - 19:15
CVE-2020-1748 5.0
A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to informat
28-04-2022 - 18:33 16-09-2020 - 16:15
CVE-2020-10687 5.8
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an
22-02-2022 - 10:05 23-09-2020 - 13:15
CVE-2020-1695 5.0
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This fla
01-01-2022 - 17:33 19-05-2020 - 15:15
CVE-2020-10673 6.8
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
07-12-2021 - 19:44 18-03-2020 - 22:15
CVE-2020-10672 6.8
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
07-12-2021 - 19:44 18-03-2020 - 22:15
CVE-2020-9548 6.8
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
02-12-2021 - 21:23 02-03-2020 - 04:15
CVE-2020-9546 6.8
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
02-12-2021 - 21:22 02-03-2020 - 04:15
CVE-2020-9547 6.8
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
02-12-2021 - 21:22 02-03-2020 - 04:15
CVE-2020-14307 4.0
A vulnerability was found in Wildfly's Enterprise Java Beans (EJB) versions shipped with Red Hat JBoss EAP 7, where SessionOpenInvocations are never removed from the remote InvocationTracker after a response is received in the EJB Client, as well as
04-11-2021 - 16:01 24-07-2020 - 16:15
CVE-2020-8840 7.5
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
22-02-2021 - 21:45 10-02-2020 - 21:56
CVE-2020-10714 5.1
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to da
23-12-2020 - 08:15 23-09-2020 - 13:15
CVE-2020-10687 6.4
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an
30-09-2020 - 18:12 23-09-2020 - 13:15
CVE-2020-10687 6.4
A flaw was discovered in all versions of Undertow before Undertow 2.2.0.Final, where HTTP request smuggling related to CVE-2017-2666 is possible against HTTP/1.x and HTTP/2 due to permitting invalid characters in an HTTP request. This flaw allows an
30-09-2020 - 18:12 23-09-2020 - 13:15
CVE-2020-10714 5.1
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to da
29-09-2020 - 18:10 23-09-2020 - 13:15
CVE-2020-10714 5.1
A flaw was found in WildFly Elytron version 1.11.3.Final and before. When using WildFly Elytron FORM authentication with a session ID in the URL, an attacker could perform a session fixation attack. The highest threat from this vulnerability is to da
29-09-2020 - 18:10 23-09-2020 - 13:15
CVE-2020-1748 5.0
A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to informat
28-09-2020 - 18:19 16-09-2020 - 16:15
CVE-2020-1710 5.0
The issue appears to be that JBoss EAP 6.4.21 does not parse the field-name in accordance to RFC7230[1] as it returns a 200 instead of a 400.
22-09-2020 - 20:20 16-09-2020 - 15:15
CVE-2020-10718 5.0
A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manage
22-09-2020 - 18:52 16-09-2020 - 19:15
CVE-2020-14297 4.0
A flaw was discovered in Wildfly's EJB Client as shipped with Red Hat JBoss EAP 7, where some specific EJB transaction objects may get accumulated over the time and can cause services to slow down and eventaully unavailable. An attacker can take adva
29-07-2020 - 16:46 24-07-2020 - 16:15
CVE-2020-10740 6.0
A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.
10-07-2020 - 18:10 22-06-2020 - 18:15
Back to Top Mark selected
Back to Top