redhat

jboss_enterprise_application_platform_expansion_pack

10 known vulnerabilities · sorted by CVSS score

CVE-2025-12543

A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.

redhat / build_of_apache_camel+11

Network

Published Jan 7, 2026

CVE-2026-3009

HIGH8.1

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.

redhat / build_of_keycloak+5

Network

Published Mar 5, 2026

CVE-2022-0853

HIGH7.5

A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability.

redhat / descision_manager+4

Network

Published Mar 11, 2022

CVE-2023-1108

HIGH7.5

A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates.

redhat / build_of_quarkus+21

Network

Published Sep 14, 2023

CVE-2025-9784

HIGH7.5

A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS).

redhat / build_of_apache_camel_for_spring_boot+9

Network

Published Sep 2, 2025

CVE-2022-1278

HIGH7.5

A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.

redhat / wildfly+7

Network

Published Sep 13, 2022

CVE-2023-4503

MEDIUM6.8

An improper initialization vulnerability was found in Galleon. When using Galleon to provision custom EAP or EAP-XP servers, the servers are created unsecured. This issue could allow an attacker to access remote HTTP services available from the server.

redhat / jboss_enterprise_application_platform+2

Network

Published Feb 6, 2024

CVE-2025-5731

MEDIUM5.5

A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found.

redhat / data_grid+4

Local

Published Jun 26, 2025

CVE-2021-3642

MEDIUM5.3

A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

redhat / wildfly_elytron+14

Network

Published Aug 5, 2021

CVE-2021-20250

MEDIUM4.3

A flaw was found in wildfly. The JBoss EJB client has publicly accessible privileged actions which may lead to information disclosure on the server it is deployed on. The highest threat from this vulnerability is to data confidentiality.

redhat / jboss-ejb-client+1

Network

Published May 13, 2021