The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2936 advisory.

  - undertow: Information leak in requests for directories without trailing slashes (CVE-2019-10184)

  - codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)

  - undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files     (CVE-2019-10212)

  - jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
    (CVE-2019-12086)

  - jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to     remote code execution (CVE-2019-12384)

  - jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via     crafted JSON message. (CVE-2019-12814)

  - jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.4 on RHEL 7 (RHSA-2019:2936)

critical Nessus Plugin ID 129517

Version 1.6

Version 1.5

Version 1.6 Apr 28, 2024, 3:17 AM Detection (updated detection logic) Plugin metadata Reference Plugin Feed: 202404280317
Version 1.5 Apr 22, 2024, 1:40 PM Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Exploit attributes ("Exploit available" set to "True") CVSSv2 score source (set to "CVE-2019-14379") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C") Plugin Feed: 202404221340