Redhat Jboss Enterprise Web Server — known CVE vulnerabilities
Every CVE whose affected-product data names Redhat Jboss Enterprise Web Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVE-2011-3923 — CVSS 9.8 (critical): Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary…
CVE-2015-7501 — CVSS 9.8 (critical): Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise…
CVE-2017-9788 — CVSS 9.1 (critical): In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type 'Digest' was not…
CVE-2016-5018 — CVSS 9.1 (critical): In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application…
CVE-2016-5387 — CVSS 8.1 (high): The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of…
CVE-2018-1336 — CVSS 7.5 (high): An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a…
CVE-2013-2186 — CVSS 7.5 (high): The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red…
CVE-2016-6796 — CVSS 7.5 (high): A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0…
CVE-2016-6797 — CVSS 7.5 (high): The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and…
CVE-2020-25710 — CVSS 7.5 (high): A flaw was found in OpenLDAP in versions before 2.4.56. This flaw allows an attacker who sends a malicious packet processed by OpenLDAP to…
CVE-2019-19906 — CVSS 7.5 (high): cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a…
CVE-2012-5626 — CVSS 7.5 (high): EJB method in Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; Red Hat JBoss Operations Network 3.1; Red Hat JBoss…
CVE-2016-2183 — CVSS 7.5 (high): The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of…
CVE-2016-3110 — CVSS 7.5 (high): mod_cluster, as used in Red Hat JBoss Web Server 2.1, allows remote attackers to cause a denial of service (Apache http server crash) via…
CVE-2014-0224 — CVSS 7.4 (high): OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages…
CVE-2017-12613 — CVSS 7.1 (high): When apr_time_exp*() or apr_os_exp_time*() functions are invoked with an invalid month field value in Apache Portable Runtime APR 1.6.2 and…
CVE-2013-1976 — CVSS 6.9 (medium): The (1) tomcat5, (2) tomcat6, and (3) tomcat7 init scripts, as used in the RPM distribution of Tomcat for JBoss Enterprise Web Server 1.0.2…
CVE-2016-0762 — CVSS 5.9 (medium): The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to…
CVE-2018-1304 — CVSS 5.9 (medium): The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to…
CVE-2019-1559 — CVSS 5.9 (medium): If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive…
CVE-2016-6794 — CVSS 5.3 (medium): When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In…
CVE-2013-5704 — CVSS 5.0 (medium): The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a…
CVE-2012-0031 — CVSS 4.6 (medium): scoreboard.c in the Apache HTTP Server 2.2.21 and earlier might allow local users to cause a denial of service (daemon crash during…
CVE-2011-3348 — CVSS 4.3 (medium): The mod_proxy_ajp module in the Apache HTTP Server before 2.2.21, when used with mod_proxy_balancer in certain configurations, allows…
CVE-2012-0053 — CVSS 4.3 (medium): protocol.c in the Apache HTTP Server 2.2.x through 2.2.21 does not properly restrict header information during construction of Bad Request…
CVE-2012-2148 — CVSS 3.3 (low): An issue exists in the property replacements feature in any descriptor in JBoxx AS 7.1.1 ignores java security policies