The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2060 advisory.

    This release of Red Hat JBoss Enterprise Application Platform 7.2.8 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.2.7, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.2.8 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * cxf: reflected XSS in the services listing page (CVE-2019-17573)

    * smallrye-config: SmallRye: SecuritySupport class is incorrectly public and contains a static method to     access the current threads context class loader (CVE-2020-1729)

    * jackson-databind: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)

    * wildfly: Soteria: security identity corruption across concurrent threads (CVE-2020-1732)

    * undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)

    * cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)

    * cxf-core: cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)

    * undertow: servletPath in normalized incorrectly leading to dangerous application mapping which could     result in security bypass (CVE-2020-1757)

    * wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security     Domain (CVE-2020-1719)

    * undertow: invalid HTTP request with large chunk size (CVE-2020-10719)

    * undertow: Memory exhaustion issue in HttpReadListener via Expect:
    100-continue header (CVE-2020-10705)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, see the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.8 on RHEL 8 (RHSA-2020:2060)

critical Nessus Plugin ID 136495

Version 1.13

Version 1.12

Version 1.11

Version 1.10

Version 1.9

Version 1.13 Nov 7, 2024, 5:39 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Plugin metadata Plugin Feed: 202411070539
Version 1.12 Jun 4, 2024, 9:37 PM Detection (updated detection logic) Plugin metadata Reference Plugin Feed: 202406042137
Version 1.11 Mar 12, 2024, 7:00 PM Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Plugin Feed: 202403121900
Version 1.10 Jan 23, 2023, 7:12 PM Logic Changes (Added support for repository relative URLs) Plugin Feed: 202301231912
Version 1.9 Dec 6, 2022, 1:01 AM Reference Plugin Feed: 202212060101