RHSA-2026:4924

Vulnerability from csaf_redhat - Published: 2026-03-18 13:54 - Updated: 2026-03-18 20:51
Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.24 security update
Severity
Important
Notes
Topic: A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.23, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release. Security Fix(es): * jackson-core: jackson-core Potential StackoverflowError (CVE-2025-52999) * undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF [eap-7.4.z] (CVE-2025-12543) * cxf: CXF JMS Code Execution Vulnerability [eap-7.4.z] (CVE-2025-48913) * netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163) * org.eclipse.jgit: XXE vulnerability in Eclipse JGit [eap-7.4.z] (CVE-2025-4949) * hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection [eap-7.4.z] (CVE-2026-0603) * com.google.protobuf/protobuf-java: StackOverflow vulnerability in Protocol Buffers (CVE-2024-7254) * undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded [eap-7.4.z] (CVE-2024-3884) * undertow-core: Undertow MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-9784) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2024-3884

A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-20 - Improper Input Validation
Vendor Fix Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:4924
Workaround It is possible to mitigate the vulnerability by performing an upper-level verification to ensure the content size sent server side is within the allowed parameters.
CVE-2024-7254

A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-770 - Allocation of Resources Without Limits or Throttling
Vendor Fix Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:4924
Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
CVE-2025-4949

A flaw was found in Eclipse JGit. This vulnerability can allow information disclosure, denial of service, and other security issues when parsing XML files.

4.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
CWE-611 - Improper Restriction of XML External Entity Reference
Vendor Fix Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:4924
CVE-2025-9784

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-770 - Allocation of Resources Without Limits or Throttling
Vendor Fix Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:4924
Workaround No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
CVE-2025-12543

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

9.6 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
CWE-20 - Improper Input Validation
Vendor Fix Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:4924
Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use, applicability, or stability.
CVE-2025-48913

A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration.

8.3 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CWE-20 - Improper Input Validation
Vendor Fix Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:4924
Workaround To reduce risk, deployments should restrict the allowed protocols in JMS configuration to trusted and expected values only. In particular, disallow the use of rmi:// and ldap:// URLs, which could be abused for remote class loading and code execution.
CVE-2025-52999

A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-121 - Stack-based Buffer Overflow
Vendor Fix Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:4924
Workaround To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.
CVE-2025-55163

A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-770 - Allocation of Resources Without Limits or Throttling
Vendor Fix Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:4924
Workaround No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
CVE-2026-0603

A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application's database, resulting in an application level denial of service.

8.3 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Vendor Fix Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 https://access.redhat.com/errata/RHSA-2026:4924
Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
References
https://access.redhat.com/errata/RHSA-2026:4924 self
https://access.redhat.com/security/updates/classi… external
https://docs.redhat.com/en/documentation/red_hat_… external
https://docs.redhat.com/en/documentation/red_hat_… external
https://bugzilla.redhat.com/show_bug.cgi?id=2275287 external
https://bugzilla.redhat.com/show_bug.cgi?id=2313454 external
https://bugzilla.redhat.com/show_bug.cgi?id=2367730 external
https://bugzilla.redhat.com/show_bug.cgi?id=2374804 external
https://bugzilla.redhat.com/show_bug.cgi?id=2387221 external
https://bugzilla.redhat.com/show_bug.cgi?id=2388252 external
https://bugzilla.redhat.com/show_bug.cgi?id=2392306 external
https://bugzilla.redhat.com/show_bug.cgi?id=2408784 external
https://bugzilla.redhat.com/show_bug.cgi?id=2427147 external
https://security.access.redhat.com/data/csaf/v2/a… self
https://access.redhat.com/security/cve/CVE-2024-3884 self
https://bugzilla.redhat.com/show_bug.cgi?id=2275287 external
https://www.cve.org/CVERecord?id=CVE-2024-3884 external
https://nvd.nist.gov/vuln/detail/CVE-2024-3884 external
https://access.redhat.com/security/cve/CVE-2024-7254 self
https://bugzilla.redhat.com/show_bug.cgi?id=2313454 external
https://www.cve.org/CVERecord?id=CVE-2024-7254 external
https://nvd.nist.gov/vuln/detail/CVE-2024-7254 external
https://github.com/protocolbuffers/protobuf/commi… external
https://access.redhat.com/security/cve/CVE-2025-4949 self
https://bugzilla.redhat.com/show_bug.cgi?id=2367730 external
https://www.cve.org/CVERecord?id=CVE-2025-4949 external
https://nvd.nist.gov/vuln/detail/CVE-2025-4949 external
https://gitlab.eclipse.org/security/cve-assigneme… external
https://gitlab.eclipse.org/security/vulnerability… external
https://projects.eclipse.org/projects/technology.… external
https://access.redhat.com/security/cve/CVE-2025-9784 self
https://bugzilla.redhat.com/show_bug.cgi?id=2392306 external
https://www.cve.org/CVERecord?id=CVE-2025-9784 external
https://nvd.nist.gov/vuln/detail/CVE-2025-9784 external
https://github.com/undertow-io/undertow/pull/1778 external
https://github.com/undertow-io/undertow/releases/… external
https://issues.redhat.com/browse/UNDERTOW-2598 external
https://kb.cert.org/vuls/id/767506 external
https://access.redhat.com/security/cve/CVE-2025-12543 self
https://bugzilla.redhat.com/show_bug.cgi?id=2408784 external
https://www.cve.org/CVERecord?id=CVE-2025-12543 external
https://nvd.nist.gov/vuln/detail/CVE-2025-12543 external
https://access.redhat.com/security/cve/CVE-2025-48913 self
https://bugzilla.redhat.com/show_bug.cgi?id=2387221 external
https://www.cve.org/CVERecord?id=CVE-2025-48913 external
https://nvd.nist.gov/vuln/detail/CVE-2025-48913 external
https://lists.apache.org/thread/f1nv488ztc0js4g5m… external
https://access.redhat.com/security/cve/CVE-2025-52999 self
https://bugzilla.redhat.com/show_bug.cgi?id=2374804 external
https://www.cve.org/CVERecord?id=CVE-2025-52999 external
https://nvd.nist.gov/vuln/detail/CVE-2025-52999 external
https://github.com/FasterXML/jackson-core/pull/943 external
https://github.com/FasterXML/jackson-core/securit… external
https://access.redhat.com/security/cve/CVE-2025-55163 self
https://bugzilla.redhat.com/show_bug.cgi?id=2388252 external
https://www.cve.org/CVERecord?id=CVE-2025-55163 external
https://nvd.nist.gov/vuln/detail/CVE-2025-55163 external
https://github.com/netty/netty/security/advisorie… external
https://access.redhat.com/security/cve/CVE-2026-0603 self
https://bugzilla.redhat.com/show_bug.cgi?id=2427147 external
https://www.cve.org/CVERecord?id=CVE-2026-0603 external
https://nvd.nist.gov/vuln/detail/CVE-2026-0603 external
Acknowledgments
Ahmet Artuç
YouGina Christiaan Swiers
HeroDevs Tommy Williams
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.24 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.23, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.24 Release Notes for information about the most significant bug fixes and enhancements included in this release.\n\nSecurity Fix(es):\n\n* jackson-core: jackson-core Potential StackoverflowError (CVE-2025-52999)\n\n* undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF [eap-7.4.z] (CVE-2025-12543)\n\n* cxf: CXF JMS Code Execution Vulnerability [eap-7.4.z] (CVE-2025-48913)\n\n* netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-55163)\n\n* org.eclipse.jgit: XXE vulnerability in Eclipse JGit [eap-7.4.z] (CVE-2025-4949)\n\n* hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection [eap-7.4.z] (CVE-2026-0603)\n\n* com.google.protobuf/protobuf-java: StackOverflow vulnerability in Protocol Buffers (CVE-2024-7254)\n\n* undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded [eap-7.4.z] (CVE-2024-3884)\n\n* undertow-core: Undertow MadeYouReset HTTP/2 DDoS Vulnerability (CVE-2025-9784)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:4924",
        "url": "https://access.redhat.com/errata/RHSA-2026:4924"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/index"
      },
      {
        "category": "external",
        "summary": "2275287",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275287"
      },
      {
        "category": "external",
        "summary": "2313454",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
      },
      {
        "category": "external",
        "summary": "2367730",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367730"
      },
      {
        "category": "external",
        "summary": "2374804",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
      },
      {
        "category": "external",
        "summary": "2387221",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387221"
      },
      {
        "category": "external",
        "summary": "2388252",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
      },
      {
        "category": "external",
        "summary": "2392306",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392306"
      },
      {
        "category": "external",
        "summary": "2408784",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408784"
      },
      {
        "category": "external",
        "summary": "2427147",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427147"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4924.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.24 security update",
    "tracking": {
      "current_release_date": "2026-03-18T20:51:15+00:00",
      "generator": {
        "date": "2026-03-18T20:51:15+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.3"
        }
      },
      "id": "RHSA-2026:4924",
      "initial_release_date": "2026-03-18T13:54:46+00:00",
      "revision_history": [
        {
          "date": "2026-03-18T13:54:46+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-03-18T13:54:46+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-03-18T20:51:15+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 7.4",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 7.4",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 7.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-3884",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2024-04-16T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2275287"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Undertow that can cause remote denial of service attacks. When the server uses the FormEncodedDataDefinition.doParse(StreamSourceChannel) method to parse large form data encoding with application/x-www-form-urlencoded, the method will cause an OutOfMemory issue. This flaw allows unauthorized users to cause a remote denial of service (DoS) attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat rates this as a Moderate impact since this requires the use of a specific form method by the server that must be externally available and the input is not sanitized by the given servlet or class implementing its use.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 7.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-3884"
        },
        {
          "category": "external",
          "summary": "RHBZ#2275287",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275287"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-3884",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-3884"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-3884",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3884"
        }
      ],
      "release_date": "2025-12-03T16:50:50+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-18T13:54:46+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4924"
        },
        {
          "category": "workaround",
          "details": "It is possible to mitigate the vulnerability by performing an upper-level verification to ensure the content size sent server side is within the allowed parameters.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "undertow: OutOfMemory when parsing form data encoding with application/x-www-form-urlencoded"
    },
    {
      "cve": "CVE-2024-7254",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2024-09-19T01:20:29.981665+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2313454"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Protocol Buffers (protobuf). This issue can allows an attacker to cause a StackOverflow via parsing untrusted Protocol Buffers data containing arbitrarily nested SGROUP tags, leading to unbounded recursion.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "protobuf: StackOverflow vulnerability in Protocol Buffers",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue represents a significant severity risk because unbounded recursion in Protocol Buffers parsing can be exploited to trigger stack overflows, leading to Denial of Service (DoS). When parsers, such as `DiscardUnknownFieldsParser` or the Java Protobuf Lite parser, encounter arbitrarily nested groups or deeply recursive map fields, the lack of recursion depth limits can result in uncontrolled stack growth. Attackers can craft malicious protobuf messages that deliberately exceed the stack\u0027s capacity, causing the application to crash or become unresponsive.\n\nThe protobuf package as shipped in RHEL does not include the affected java or kotlin bindings, therefore RHEL is Not Affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 7.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "RHBZ#2313454",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313454"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-7254",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7254"
        },
        {
          "category": "external",
          "summary": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa",
          "url": "https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa"
        }
      ],
      "release_date": "2024-09-19T01:15:10.963000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-18T13:54:46+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4924"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "protobuf: StackOverflow vulnerability in Protocol Buffers"
    },
    {
      "cve": "CVE-2025-4949",
      "cwe": {
        "id": "CWE-611",
        "name": "Improper Restriction of XML External Entity Reference"
      },
      "discovery_date": "2025-05-21T07:00:48.762597+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2367730"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Eclipse JGit. This vulnerability can allow information disclosure, denial of service, and other security issues when parsing XML files.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.eclipse.jgit: XXE vulnerability in Eclipse JGit",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Moderate for Red Hat products. A flaw in Eclipse JGit allows for XML External Entity (XXE) attacks when parsing specially crafted XML files. This can lead to local denial of service in affected Red Hat products that utilize JGit\u0027s ManifestParser or AmazonS3 class for git transport. The current 9.8 rating by NVD assumes a default, server-side exploitation path. However, the vulnerability resides in the experimental AmazonS3 transport class within Eclipse JGit, which is not enabled by default and requires non-standard configuration (Attack Complexity: High). Furthermore, exploitation typically occurs via client-side tools (e.g., repo) requiring active user participation (User Interaction: Required), limiting the primary risk to local Denial of Service rather than remote, unauthenticated compromise (Availability: High).",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 7.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-4949"
        },
        {
          "category": "external",
          "summary": "RHBZ#2367730",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2367730"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-4949",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-4949"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-4949",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4949"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/64",
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/64"
        },
        {
          "category": "external",
          "summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281",
          "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/281"
        },
        {
          "category": "external",
          "summary": "https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1",
          "url": "https://projects.eclipse.org/projects/technology.jgit/releases/7.2.1"
        }
      ],
      "release_date": "2025-05-21T06:47:19.777000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-18T13:54:46+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4924"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "org.eclipse.jgit: XXE vulnerability in Eclipse JGit"
    },
    {
      "cve": "CVE-2025-9784",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-09-01T06:19:20.938000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2392306"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 7.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-9784"
        },
        {
          "category": "external",
          "summary": "RHBZ#2392306",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2392306"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-9784",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-9784"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-9784",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9784"
        },
        {
          "category": "external",
          "summary": "https://github.com/undertow-io/undertow/pull/1778",
          "url": "https://github.com/undertow-io/undertow/pull/1778"
        },
        {
          "category": "external",
          "summary": "https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final",
          "url": "https://github.com/undertow-io/undertow/releases/tag/2.2.38.Final"
        },
        {
          "category": "external",
          "summary": "https://issues.redhat.com/browse/UNDERTOW-2598",
          "url": "https://issues.redhat.com/browse/UNDERTOW-2598"
        },
        {
          "category": "external",
          "summary": "https://kb.cert.org/vuls/id/767506",
          "url": "https://kb.cert.org/vuls/id/767506"
        }
      ],
      "release_date": "2025-09-01T06:21:54.614000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-18T13:54:46+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4924"
        },
        {
          "category": "workaround",
          "details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow: Undertow MadeYouReset HTTP/2 DDoS Vulnerability"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Ahmet Artu\u00e7"
          ]
        }
      ],
      "cve": "CVE-2025-12543",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2025-10-31T06:15:35.424000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2408784"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability has an Important severity because it can be remotely exploited without authentication. However, limited user interaction is required for full impact. It could allow attackers to hijack additional accounts, steal credentials, or gain access to internal systems. The issue stems from improper input validation of HTTP Host headers, leading to serious breaches in confidentiality and integrity.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 7.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-12543"
        },
        {
          "category": "external",
          "summary": "RHBZ#2408784",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2408784"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-12543",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-12543"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-12543",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12543"
        }
      ],
      "release_date": "2026-01-08T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-18T13:54:46+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4924"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use, applicability, or stability.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "undertow-core: Undertow HTTP Server Fails to Reject Malformed Host Headers Leading to Potential Cache Poisoning and SSRF"
    },
    {
      "cve": "CVE-2025-48913",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2025-08-08T10:00:54.007824+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2387221"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This flaw should be considered Important because the impact goes beyond a simple denial of service or configuration misuse. By allowing untrusted users to configure JMS with RMI or LDAP URLs, attackers could achieve remote code execution by loading attacker-controlled classes or objects. Although this requires the precondition that the attacker has access to JMS configuration, in many enterprise deployments this may be exposed through integration layers or misconfigured permissions, making the attack surface broader than a purely local or limited-scope scenario.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 7.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-48913"
        },
        {
          "category": "external",
          "summary": "RHBZ#2387221",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387221"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-48913",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-48913"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48913",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48913"
        },
        {
          "category": "external",
          "summary": "https://lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83",
          "url": "https://lists.apache.org/thread/f1nv488ztc0js4g5ml2v88mzkzslyh83"
        }
      ],
      "release_date": "2025-08-08T09:21:22.208000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-18T13:54:46+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4924"
        },
        {
          "category": "workaround",
          "details": "To reduce risk, deployments should restrict the allowed protocols in JMS configuration to trusted and expected values only. In particular, disallow the use of rmi:// and ldap:// URLs, which could be abused for remote class loading and code execution.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.apache.cxf/cxf: CXF JMS Code Execution Vulnerability"
    },
    {
      "cve": "CVE-2025-52999",
      "cwe": {
        "id": "CWE-121",
        "name": "Stack-based Buffer Overflow"
      },
      "discovery_date": "2025-06-25T18:00:54.693716+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2374804"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A nested data handling flaw was found in Jackson Core. When parsing particularly deeply nested data structures, a StackoverflowError can occur.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 7.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "RHBZ#2374804",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2374804"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-52999",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52999"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/pull/943",
          "url": "https://github.com/FasterXML/jackson-core/pull/943"
        },
        {
          "category": "external",
          "summary": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3",
          "url": "https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3"
        }
      ],
      "release_date": "2025-06-25T17:02:57.428000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-18T13:54:46+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4924"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, the recommendation is to avoid parsing input files from untrusted sources that may have excessively deep nested data structures; anything with a depth over 1000.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.fasterxml.jackson.core/jackson-core: jackson-core Potential StackoverflowError"
    },
    {
      "cve": "CVE-2025-55163",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-08-13T15:01:55.372237+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2388252"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Netty where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a denial of service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation, which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 7.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-55163"
        },
        {
          "category": "external",
          "summary": "RHBZ#2388252",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2388252"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-55163",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-55163"
        },
        {
          "category": "external",
          "summary": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4",
          "url": "https://github.com/netty/netty/security/advisories/GHSA-prj3-ccx8-p6x4"
        },
        {
          "category": "external",
          "summary": "https://kb.cert.org/vuls/id/767506",
          "url": "https://kb.cert.org/vuls/id/767506"
        }
      ],
      "release_date": "2025-08-13T14:17:36.111000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-18T13:54:46+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4924"
        },
        {
          "category": "workaround",
          "details": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "netty: netty-codec-http2: Netty MadeYouReset HTTP/2 DDoS Vulnerability"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Christiaan Swiers"
          ],
          "organization": "YouGina"
        },
        {
          "names": [
            "Tommy Williams"
          ],
          "organization": "HeroDevs"
        }
      ],
      "cve": "CVE-2026-0603",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
      },
      "discovery_date": "2026-01-05T13:12:29.816000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2427147"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application\u0027s database, resulting in an application level denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Important for Red Hat products as it allows a remote attacker with low privileges to perform second-order SQL injection in applications using Hibernate\u0027s InlineIdsOrClauseBuilder with unsanitized non-alphanumeric characters in the ID column. This could lead to sensitive information disclosure and data manipulation or deletion.Affected Hibernate ORM versions are 5.2.8 through 5.6.15 (inclusive); earlier versions are not affected.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 7.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-0603"
        },
        {
          "category": "external",
          "summary": "RHBZ#2427147",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427147"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-0603",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-0603"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-0603",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0603"
        }
      ],
      "release_date": "2026-01-19T10:10:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-18T13:54:46+00:00",
          "details": "Before applying the update, make sure all previously released errata relevant to your system have been applied. Also, back up your existing installation, including all applications, configuration files, databases and database settings. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4924"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 7.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.hibernate/hibernate-core: Hibernate: Information disclosure and data deletion via second-order SQL injection"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.