Red Hat JBoss Enterprise Application Platform 7.x < 7.2.2 Multiple Vulnerabilities

critical Nessus Plugin ID 132312


The remote Red Hat JBoss Enterprise Application Platform installation is affected by multiple vulnerabilities.


The version of Red Hat JBoss Enterprise Application Platform (EAP) installed on the remote host is 7.x prior to 7.2.2. It is therefore, affected my multiple vulnerabilities as referenced in the RHSA-2019:1424 advisory:

- picketlink: reflected XSS in SAMLRequest via RelayState parameter (CVE-2019-3872)

- picketlink: URL injection via xinclude parameter (CVE-2019-3873)

- undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.


Update to Red Hat JBoss Enterprise Application Platform 7.2.2 or later.

See Also

Plugin Details

Severity: Critical

ID: 132312

File Name: jboss_eap_RHSA-2019-1424.nasl

Version: 1.4

Type: local

Agent: unix

Family: CGI abuses

Published: 12/19/2019

Updated: 5/18/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information


Risk Factor: Medium

Score: 6.5


Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2019-3873


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2019-3888

Vulnerability Information

CPE: cpe:/a:redhat:jboss_enterprise_application_platform

Required KB Items: installed_sw/JBoss

Exploit Ease: No known exploits are available

Patch Publication Date: 6/10/2019

Vulnerability Publication Date: 6/10/2019

Reference Information

CVE: CVE-2019-3872, CVE-2019-3873, CVE-2019-3888

BID: 108732, 108738, 108739

RHSA: 2019:1424