The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2937 advisory.

  - undertow: Information leak in requests for directories without trailing slashes (CVE-2019-10184)

  - codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)

  - undertow: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files     (CVE-2019-10212)

  - jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
    (CVE-2019-12086)

  - jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to     remote code execution (CVE-2019-12384)

  - jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via     crafted JSON message. (CVE-2019-12814)

  - jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.4 on RHEL 8 (RHSA-2019:2937)

critical Nessus Plugin ID 129518

Version 1.6

Version 1.5

Version 1.6 Apr 28, 2024, 2:25 PM Detection (updated detection logic) Plugin metadata Reference Plugin Feed: 202404281425
Version 1.5 Apr 22, 2024, 1:40 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C") CVSSv2 score source (set to "CVE-2019-14379") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") Plugin Feed: 202404221340