-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Fuse 7.8.0 release and security update
Advisory ID:       RHSA-2020:5568-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:5568
Issue date:        2020-12-16
CVE Names:         CVE-2018-1000873 CVE-2019-0205 CVE-2019-0210 
                   CVE-2019-2692 CVE-2019-3773 CVE-2019-3774 
                   CVE-2019-10202 CVE-2019-10219 CVE-2019-11777 
                   CVE-2019-12406 CVE-2019-12423 CVE-2019-13990 
                   CVE-2019-14900 CVE-2019-17566 CVE-2019-17638 
                   CVE-2019-19343 CVE-2020-1714 CVE-2020-1719 
                   CVE-2020-1950 CVE-2020-1960 CVE-2020-5398 
                   CVE-2020-7226 CVE-2020-9488 CVE-2020-9489 
                   CVE-2020-10683 CVE-2020-10740 CVE-2020-11612 
                   CVE-2020-11971 CVE-2020-11972 CVE-2020-11973 
                   CVE-2020-11980 CVE-2020-11989 CVE-2020-11994 
                   CVE-2020-13692 CVE-2020-13933 CVE-2020-14326 
====================================================================
1. Summary:

A minor version update (from 7.7 to 7.8) is now available for Red Hat Fuse.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse
7.7, and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.

Security Fix(es):

* libquartz: XXE attacks via job description (CVE-2019-13990)

* jetty: double release of resource can lead to information disclosure
(CVE-2019-17638)

* keycloak: Lack of checks in ObjectInputStream leading to Remote Code
Execution (CVE-2020-1714)

* springframework: RFD attack via Content-Disposition Header sourced from
request input by Spring MVC or Spring WebFlux Application (CVE-2020-5398)

* wildfly: unsafe deserialization in Wildfly Enterprise Java Beans
(CVE-2020-10740)

* camel: RabbitMQ enables Java deserialization by default which could leed
to remote code execution (CVE-2020-11972)

* camel: Netty enables Java deserialization by default which could leed to
remote code execution (CVE-2020-11973)

* shiro: spring dynamic controllers, a specially crafted request may cause
an authentication bypass (CVE-2020-11989)

* camel: server-side template injection and arbitrary file disclosure on
templating components (CVE-2020-11994)

* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
(CVE-2020-13692)

* shiro: specially crafted HTTP request may cause an authentication bypass
(CVE-2020-13933)

* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)

* jackson-modules-java8: DoS due to an Improper Input Validation
(CVE-2018-1000873)

* thrift: Endless loop when feed with specific input data (CVE-2019-0205)

* thrift: Out-of-bounds read related to TJSONProtocol or
TSimpleJSONProtocol (CVE-2019-0210)

* mysql-connector-java: privilege escalation in MySQL connector
(CVE-2019-2692)

* spring-ws: XML External Entity Injection (XXE) when receiving XML data
from untrusted sources (CVE-2019-3773)

* spring-batch: XML External Entity Injection (XXE) when receiving XML data
from untrusted sources (CVE-2019-3774)

* codehaus: incomplete fix for unsafe deserialization in jackson-databind
vulnerabilities (CVE-2019-10202)

* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)

* org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT
library (CVE-2019-11777)

* cxf: does not restrict the number of message attachments (CVE-2019-12406)

* cxf: OpenId Connect token service does not properly validate the clientId
(CVE-2019-12423)

* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)

* batik: SSRF via "xlink:href" (CVE-2019-17566)

* Undertow: Memory Leak in Undertow HttpOpenListener due to holding
remoting connections indefinitely (CVE-2019-19343)

* Wildfly: EJBContext principal is not popped back after invoking another
EJB using a different Security Domain (CVE-2020-1719)

* apache-flink: JMX information disclosure vulnerability (CVE-2020-1960)

* cryptacular: excessive memory allocation during a decode operation
(CVE-2020-7226)

* tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's
Parsers (CVE-2020-9489)

* dom4j: XML External Entity vulnerability in default SAX parser
(CVE-2020-10683)

* netty: compression/decompression codecs don't enforce limits on buffer
allocation sizes (CVE-2020-11612)

* camel: DNS Rebinding in JMX Connector could result in remote command
execution (CVE-2020-11971)

* karaf: A remote client could create MBeans from arbitrary URLs
(CVE-2020-11980)

* tika: excessive memory usage in PSDParser (CVE-2020-1950)

* log4j: improper validation of certificate with host mismatch in SMTP
appender (CVE-2020-9488)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Installation instructions are available from the Fuse 7.8.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/

4. Bugs fixed (https://bugzilla.redhat.com/):

1665601 - CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation
1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM
1670593 - CVE-2019-3773 spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
1670597 - CVE-2019-3774 spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources
1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser
1703402 - CVE-2019-2692 mysql-connector-java: privilege escalation in MySQL connector
1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution
1731271 - CVE-2019-10202 codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities
1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS
1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol
1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data
1780445 - CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely
1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain
1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId
1799475 - CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application
1801149 - CVE-2019-13990 libquartz: XXE attacks via job description
1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation
1816170 - CVE-2019-12406 cxf: does not restrict the number of message attachments
1816216 - CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes
1822759 - CVE-2020-1950 tika: excessive memory usage in PSDParser
1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender
1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans
1848126 - CVE-2020-1960 apache-flink: JMX information disclosure vulnerability
1848433 - CVE-2020-11971 camel: DNS Rebinding in JMX Connector could result in remote command execution
1848464 - CVE-2020-11972 camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution
1848465 - CVE-2020-11973 camel: Netty enables Java deserialization by default which could leed to remote code execution
1848617 - CVE-2019-17566 batik: SSRF via "xlink:href"
1850042 - CVE-2020-9489 tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers1850069 - CVE-2020-11989 shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass
1850450 - CVE-2020-11980 karaf: A remote client could create MBeans from arbitrary URLs
1852985 - CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
1855786 - CVE-2020-11994 camel: server-side template injection and arbitrary file disclosure on templating components
1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS
1864680 - CVE-2019-17638 jetty: double release of resource can lead to information disclosure
1869860 - CVE-2020-13933 shiro: specially crafted HTTP request may cause an authentication bypass
1879743 - CVE-2019-11777 org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library

5. References:

https://access.redhat.com/security/cve/CVE-2018-1000873
https://access.redhat.com/security/cve/CVE-2019-0205
https://access.redhat.com/security/cve/CVE-2019-0210
https://access.redhat.com/security/cve/CVE-2019-2692
https://access.redhat.com/security/cve/CVE-2019-3773
https://access.redhat.com/security/cve/CVE-2019-3774
https://access.redhat.com/security/cve/CVE-2019-10202
https://access.redhat.com/security/cve/CVE-2019-10219
https://access.redhat.com/security/cve/CVE-2019-11777
https://access.redhat.com/security/cve/CVE-2019-12406
https://access.redhat.com/security/cve/CVE-2019-12423
https://access.redhat.com/security/cve/CVE-2019-13990
https://access.redhat.com/security/cve/CVE-2019-14900
https://access.redhat.com/security/cve/CVE-2019-17566
https://access.redhat.com/security/cve/CVE-2019-17638
https://access.redhat.com/security/cve/CVE-2019-19343
https://access.redhat.com/security/cve/CVE-2020-1714
https://access.redhat.com/security/cve/CVE-2020-1719
https://access.redhat.com/security/cve/CVE-2020-1950
https://access.redhat.com/security/cve/CVE-2020-1960
https://access.redhat.com/security/cve/CVE-2020-5398
https://access.redhat.com/security/cve/CVE-2020-7226
https://access.redhat.com/security/cve/CVE-2020-9488
https://access.redhat.com/security/cve/CVE-2020-9489
https://access.redhat.com/security/cve/CVE-2020-10683
https://access.redhat.com/security/cve/CVE-2020-10740
https://access.redhat.com/security/cve/CVE-2020-11612
https://access.redhat.com/security/cve/CVE-2020-11971
https://access.redhat.com/security/cve/CVE-2020-11972
https://access.redhat.com/security/cve/CVE-2020-11973
https://access.redhat.com/security/cve/CVE-2020-11980
https://access.redhat.com/security/cve/CVE-2020-11989
https://access.redhat.com/security/cve/CVE-2020-11994
https://access.redhat.com/security/cve/CVE-2020-13692
https://access.redhat.com/security/cve/CVE-2020-13933
https://access.redhat.com/security/cve/CVE-2020-14326
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.8.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX9n5stzjgjWX9erEAQhLEA/+P1hIAPgSOz6uLDvvZvm73qyxbuISD92X
kJ158V+IX64dMlCuUCfFFKiuRCsDzhCSi52P4m8q06OskS1QndEmjfSixER/pG8X
YJKatVpbxbVE3V2U/wRRfrG/j18UhwNatS3VouvdKOXwQewWb0TaGwGJ9wdZLDMd
7owlOwqQ1dOh2AMS3NWAeNBSzQtfk0GUb61+V1WRdCBs/PII1roRJyZEGEBsIZtg
z66CncAjMwL7zj/ZRYK7ogWL20HwMgCQ3oAHo1ENM5k6o7scqRArhMKPthdtF88y
AwqPo8ocQCE5JB66tbUie6ze2sYPgBflWSJ0zEv3suyUbzLyO2d1utzyXn24ffYN
0F1gY0YFsLiNRZPfdtGx+cPB5dlBOnnJUOTXA1e87CXohPRKqWuqQaxChGQY8CiH
ZiWg2U/NLuBgg7SkL1Vm9Fqfe06roAfDQLL4nnd8BcRkmhNWG7KL2ve2fRDbfqKT
RH9x3XbHhD0cfvTFaEj0qVojsSCjVrE+SeJdluDY21kf0OxspVDMffQ0WD2cNVFh
PgaQJt4ItTfkanw7cKs1GNH4WjMmpuAfe2lzR3JBLlkSvf7iqiPVIrIY+NAOHYG0
Mtx6d3mbwr91KjGg3lXOoM+tTFjOiCZMr/k7WIt3VllJpBP18cbAXeGtEmpMg+jA
f8t2frnd7kM=jGVK
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-5568:01 Important: Red Hat Fuse 7.8.0 release and

A minor version update (from 7.7 to 7.8) is now available for Red Hat Fuse

Summary

This release of Red Hat Fuse 7.8.0 serves as a replacement for Red Hat Fuse 7.7, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* libquartz: XXE attacks via job description (CVE-2019-13990)
* jetty: double release of resource can lead to information disclosure (CVE-2019-17638)
* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)
* springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application (CVE-2020-5398)
* wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)
* camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution (CVE-2020-11972)
* camel: Netty enables Java deserialization by default which could leed to remote code execution (CVE-2020-11973)
* shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass (CVE-2020-11989)
* camel: server-side template injection and arbitrary file disclosure on templating components (CVE-2020-11994)
* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)
* shiro: specially crafted HTTP request may cause an authentication bypass (CVE-2020-13933)
* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)
* jackson-modules-java8: DoS due to an Improper Input Validation (CVE-2018-1000873)
* thrift: Endless loop when feed with specific input data (CVE-2019-0205)
* thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
* mysql-connector-java: privilege escalation in MySQL connector (CVE-2019-2692)
* spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3773)
* spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources (CVE-2019-3774)
* codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities (CVE-2019-10202)
* hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
* org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library (CVE-2019-11777)
* cxf: does not restrict the number of message attachments (CVE-2019-12406)
* cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)
* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
* batik: SSRF via "xlink:href" (CVE-2019-17566)
* Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely (CVE-2019-19343)
* Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)
* apache-flink: JMX information disclosure vulnerability (CVE-2020-1960)
* cryptacular: excessive memory allocation during a decode operation (CVE-2020-7226)
* tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers (CVE-2020-9489)
* dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
* netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)
* camel: DNS Rebinding in JMX Connector could result in remote command execution (CVE-2020-11971)
* karaf: A remote client could create MBeans from arbitrary URLs (CVE-2020-11980)
* tika: excessive memory usage in PSDParser (CVE-2020-1950)
* log4j: improper validation of certificate with host mismatch in SMTP appender (CVE-2020-9488)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
Installation instructions are available from the Fuse 7.8.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/

References

https://access.redhat.com/security/cve/CVE-2018-1000873 https://access.redhat.com/security/cve/CVE-2019-0205 https://access.redhat.com/security/cve/CVE-2019-0210 https://access.redhat.com/security/cve/CVE-2019-2692 https://access.redhat.com/security/cve/CVE-2019-3773 https://access.redhat.com/security/cve/CVE-2019-3774 https://access.redhat.com/security/cve/CVE-2019-10202 https://access.redhat.com/security/cve/CVE-2019-10219 https://access.redhat.com/security/cve/CVE-2019-11777 https://access.redhat.com/security/cve/CVE-2019-12406 https://access.redhat.com/security/cve/CVE-2019-12423 https://access.redhat.com/security/cve/CVE-2019-13990 https://access.redhat.com/security/cve/CVE-2019-14900 https://access.redhat.com/security/cve/CVE-2019-17566 https://access.redhat.com/security/cve/CVE-2019-17638 https://access.redhat.com/security/cve/CVE-2019-19343 https://access.redhat.com/security/cve/CVE-2020-1714 https://access.redhat.com/security/cve/CVE-2020-1719 https://access.redhat.com/security/cve/CVE-2020-1950 https://access.redhat.com/security/cve/CVE-2020-1960 https://access.redhat.com/security/cve/CVE-2020-5398 https://access.redhat.com/security/cve/CVE-2020-7226 https://access.redhat.com/security/cve/CVE-2020-9488 https://access.redhat.com/security/cve/CVE-2020-9489 https://access.redhat.com/security/cve/CVE-2020-10683 https://access.redhat.com/security/cve/CVE-2020-10740 https://access.redhat.com/security/cve/CVE-2020-11612 https://access.redhat.com/security/cve/CVE-2020-11971 https://access.redhat.com/security/cve/CVE-2020-11972 https://access.redhat.com/security/cve/CVE-2020-11973 https://access.redhat.com/security/cve/CVE-2020-11980 https://access.redhat.com/security/cve/CVE-2020-11989 https://access.redhat.com/security/cve/CVE-2020-11994 https://access.redhat.com/security/cve/CVE-2020-13692 https://access.redhat.com/security/cve/CVE-2020-13933 https://access.redhat.com/security/cve/CVE-2020-14326 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.8.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/

Package List


Severity
Advisory ID: RHSA-2020:5568-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5568
Issued Date: : 2020-12-16
CVE Names: CVE-2018-1000873 CVE-2019-0205 CVE-2019-0210 CVE-2019-2692 CVE-2019-3773 CVE-2019-3774 CVE-2019-10202 CVE-2019-10219 CVE-2019-11777 CVE-2019-12406 CVE-2019-12423 CVE-2019-13990 CVE-2019-14900 CVE-2019-17566 CVE-2019-17638 CVE-2019-19343 CVE-2020-1714 CVE-2020-1719 CVE-2020-1950 CVE-2020-1960 CVE-2020-5398 CVE-2020-7226 CVE-2020-9488 CVE-2020-9489 CVE-2020-10683 CVE-2020-10740 CVE-2020-11612 CVE-2020-11971 CVE-2020-11972 CVE-2020-11973 CVE-2020-11980 CVE-2020-11989 CVE-2020-11994 CVE-2020-13692 CVE-2020-13933 CVE-2020-14326

Topic

A minor version update (from 7.7 to 7.8) is now available for Red Hat Fuse.The purpose of this text-only errata is to inform you about the securityissues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures


Bugs Fixed

1665601 - CVE-2018-1000873 jackson-modules-java8: DoS due to an Improper Input Validation

1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM

1670593 - CVE-2019-3773 spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources

1670597 - CVE-2019-3774 spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources

1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser

1703402 - CVE-2019-2692 mysql-connector-java: privilege escalation in MySQL connector

1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution

1731271 - CVE-2019-10202 codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities

1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS

1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol

1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data

1780445 - CVE-2019-19343 Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely

1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain

1797006 - CVE-2019-12423 cxf: OpenId Connect token service does not properly validate the clientId

1799475 - CVE-2020-5398 springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application

1801149 - CVE-2019-13990 libquartz: XXE attacks via job description

1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation

1816170 - CVE-2019-12406 cxf: does not restrict the number of message attachments

1816216 - CVE-2020-11612 netty: compression/decompression codecs don't enforce limits on buffer allocation sizes

1822759 - CVE-2020-1950 tika: excessive memory usage in PSDParser

1831139 - CVE-2020-9488 log4j: improper validation of certificate with host mismatch in SMTP appender

1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans

1848126 - CVE-2020-1960 apache-flink: JMX information disclosure vulnerability

1848433 - CVE-2020-11971 camel: DNS Rebinding in JMX Connector could result in remote command execution

1848464 - CVE-2020-11972 camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution

1848465 - CVE-2020-11973 camel: Netty enables Java deserialization by default which could leed to remote code execution

1848617 - CVE-2019-17566 batik: SSRF via "xlink:href"

1850042 - CVE-2020-9489 tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers1850069 - CVE-2020-11989 shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass

1850450 - CVE-2020-11980 karaf: A remote client could create MBeans from arbitrary URLs

1852985 - CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML

1855786 - CVE-2020-11994 camel: server-side template injection and arbitrary file disclosure on templating components

1855826 - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS

1864680 - CVE-2019-17638 jetty: double release of resource can lead to information disclosure

1869860 - CVE-2020-13933 shiro: specially crafted HTTP request may cause an authentication bypass

1879743 - CVE-2019-11777 org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library


Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved