RedHat: RHSA-2021-3140:01 Moderate: Red Hat Fuse 7.9.0 release and ...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Fuse 7.9.0 release and security update
Advisory ID:       RHSA-2021:3140-01
Product:           Red Hat JBoss Fuse
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3140
Issue date:        2021-08-11
CVE Names:         CVE-2017-5645 CVE-2017-18640 CVE-2019-12402 
                   CVE-2019-14887 CVE-2019-16869 CVE-2019-20445 
                   CVE-2020-1695 CVE-2020-1925 CVE-2020-1935 
                   CVE-2020-1938 CVE-2020-5410 CVE-2020-5421 
                   CVE-2020-6950 CVE-2020-9484 CVE-2020-10688 
                   CVE-2020-10693 CVE-2020-10714 CVE-2020-10719 
                   CVE-2020-11996 CVE-2020-13920 CVE-2020-13934 
                   CVE-2020-13935 CVE-2020-13936 CVE-2020-13954 
                   CVE-2020-13956 CVE-2020-14040 CVE-2020-14297 
                   CVE-2020-14338 CVE-2020-14340 CVE-2020-17510 
                   CVE-2020-17518 CVE-2020-25633 CVE-2020-25638 
                   CVE-2020-25640 CVE-2020-25644 CVE-2020-26258 
                   CVE-2020-26945 CVE-2020-27216 CVE-2020-28052 
                   CVE-2021-27807 CVE-2021-27906 CVE-2021-28165 
=====================================================================

1. Summary:

A minor version update (from 7.8 to 7.9) is now available for Red Hat Fuse.
The purpose of this text-only errata is to inform you about the security
issues fixed in this release.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

This release of Red Hat Fuse 7.9.0 serves as a replacement for Red Hat Fuse
7.8, and includes bug fixes and enhancements, which are documented in the
Release Notes document linked to in the References.

Security Fix(es):

* hawtio-osgi (CVE-2017-5645)

* prometheus-jmx-exporter: snakeyaml (CVE-2017-18640)

* apache-commons-compress (CVE-2019-12402)

* karaf-transaction-manager-narayana: netty (CVE-2019-16869,
CVE-2019-20445)

* tomcat (CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2020-13934,
CVE-2020-13935, CVE-2020-11996)

* spring-cloud-config-server (CVE-2020-5410)

* velocity (CVE-2020-13936)

* httpclient: apache-httpclient (CVE-2020-13956)

* shiro-core: shiro (CVE-2020-17510)

* hibernate-core (CVE-2020-25638)

* wildfly-openssl (CVE-2020-25644)

* jetty (CVE-2020-27216, CVE-2021-28165)

* bouncycastle (CVE-2020-28052)

* wildfly (CVE-2019-14887, CVE-2020-25640)

* resteasy-jaxrs: resteasy (CVE-2020-1695)

* camel-olingo4 (CVE-2020-1925)

* springframework (CVE-2020-5421)

* jsf-impl: Mojarra (CVE-2020-6950)

* resteasy (CVE-2020-10688)

* hibernate-validator (CVE-2020-10693)

* wildfly-elytron (CVE-2020-10714)

* undertow (CVE-2020-10719)

* activemq (CVE-2020-13920)

* cxf-core: cxf (CVE-2020-13954)

* fuse-apicurito-operator-container: golang.org/x/text (CVE-2020-14040)

* jboss-ejb-client: wildfly (CVE-2020-14297)

* xercesimpl: wildfly (CVE-2020-14338)

* xnio (CVE-2020-14340)

* flink: apache-flink (CVE-2020-17518)

* resteasy-client (CVE-2020-25633)

* xstream (CVE-2020-26258)

* mybatis (CVE-2020-26945)

* pdfbox (CVE-2021-27807, CVE-2021-27906)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

Installation instructions are available from the Fuse 7.9.0 product
documentation page:
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/

4. Bugs fixed (https://bugzilla.redhat.com/):

1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability
1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers
1764640 - CVE-2019-12402 apache-commons-compress: Infinite loop in name encoding algorithm
1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
1785376 - CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature
1790309 - CVE-2020-1925 olingo-odata: Server side request forgery in AsyncResponseWrapperImpl
1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371
1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages
1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
1806835 - CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling
1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack
1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication
1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size
1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
1845626 - CVE-2020-5410 spring-cloud-config-server: sending a request using a specially crafted URL can lead to a directory traversal attack
1851420 - CVE-2020-11996 tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS
1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1857024 - CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS
1857040 - CVE-2020-13934 tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS
1860054 - CVE-2020-14338 wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl
1860218 - CVE-2020-14340 xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS
1879042 - CVE-2020-25633 resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling
1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack
1881158 - CVE-2020-5421 springframework: RFD protection bypass via jsessionid
1881353 - CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used
1881637 - CVE-2020-25640 wildfly: resource adapter logs plaintext JMS password at warning level on connection error
1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL
1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs
1887257 - CVE-2020-26945 mybatis: mishandles deserialization of object streams which could result in remote code execution
1891132 - CVE-2020-27216 jetty: local temporary directory hijacking vulnerability
1898235 - CVE-2020-13954 cxf: XSS via the styleSheetPath
1903727 - CVE-2020-17510 shiro: specially crafted HTTP request may cause an authentication bypass
1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling
1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible
1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API
1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates
1941050 - CVE-2021-27906 pdfbox: OutOfMemory-Exception while loading a crafted PDF file
1941055 - CVE-2021-27807 pdfbox: infinite loop while loading a crafted PDF file
1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame

5. References:

https://access.redhat.com/security/cve/CVE-2017-5645
https://access.redhat.com/security/cve/CVE-2017-18640
https://access.redhat.com/security/cve/CVE-2019-12402
https://access.redhat.com/security/cve/CVE-2019-14887
https://access.redhat.com/security/cve/CVE-2019-16869
https://access.redhat.com/security/cve/CVE-2019-20445
https://access.redhat.com/security/cve/CVE-2020-1695
https://access.redhat.com/security/cve/CVE-2020-1925
https://access.redhat.com/security/cve/CVE-2020-1935
https://access.redhat.com/security/cve/CVE-2020-1938
https://access.redhat.com/security/cve/CVE-2020-5410
https://access.redhat.com/security/cve/CVE-2020-5421
https://access.redhat.com/security/cve/CVE-2020-6950
https://access.redhat.com/security/cve/CVE-2020-9484
https://access.redhat.com/security/cve/CVE-2020-10688
https://access.redhat.com/security/cve/CVE-2020-10693
https://access.redhat.com/security/cve/CVE-2020-10714
https://access.redhat.com/security/cve/CVE-2020-10719
https://access.redhat.com/security/cve/CVE-2020-11996
https://access.redhat.com/security/cve/CVE-2020-13920
https://access.redhat.com/security/cve/CVE-2020-13934
https://access.redhat.com/security/cve/CVE-2020-13935
https://access.redhat.com/security/cve/CVE-2020-13936
https://access.redhat.com/security/cve/CVE-2020-13954
https://access.redhat.com/security/cve/CVE-2020-13956
https://access.redhat.com/security/cve/CVE-2020-14040
https://access.redhat.com/security/cve/CVE-2020-14297
https://access.redhat.com/security/cve/CVE-2020-14338
https://access.redhat.com/security/cve/CVE-2020-14340
https://access.redhat.com/security/cve/CVE-2020-17510
https://access.redhat.com/security/cve/CVE-2020-17518
https://access.redhat.com/security/cve/CVE-2020-25633
https://access.redhat.com/security/cve/CVE-2020-25638
https://access.redhat.com/security/cve/CVE-2020-25640
https://access.redhat.com/security/cve/CVE-2020-25644
https://access.redhat.com/security/cve/CVE-2020-26258
https://access.redhat.com/security/cve/CVE-2020-26945
https://access.redhat.com/security/cve/CVE-2020-27216
https://access.redhat.com/security/cve/CVE-2020-28052
https://access.redhat.com/security/cve/CVE-2021-27807
https://access.redhat.com/security/cve/CVE-2021-27906
https://access.redhat.com/security/cve/CVE-2021-28165
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.9.0
https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYRQVh9zjgjWX9erEAQjAxg/+O0wRNyDejQCX7SWv2Lvo5YZVE9Azv+hd
pWFbtNu1cruoiUWY2vqArIH8KmZXWYS/EDQCe4PfIB0wKZfx9dS7y19Ct4swE4Y2
3L0DRVp9YLoqZC3ndVIk3W+RSLEODc5S3IAi6twXlmiZlAwPJXDvcs7aeUAPGc0m
93Y3lZofrpaEnyEVdoUsz0M47mQQYxNJ1nPF9FuUDsOXUqiu18JS9DsuyWwONyKw
dPCxfHf3ioI+ymsYjoO+fIcu3dR6lGryvsEFY3dnXePiLlp5NBrRW359K6EQGM/e
f1PsXzVYrWMikmxpGaOM7KkoLPAcvtznd4G62ZGUODyAEUKLderr9M7zG88Eg2gG
Ycw5D4UkJ+QZB/qHlQJHLrrzuPybGBXSdl2VLTF/m7YZSE9C2yW1ZatyahhdEP3T
+MmzU6mnbuPCrYjwL/AgCGx3ap52+2eL5HvDzf7+5plY6MVpHZQb2iiIj6H58P6g
ffxr6dGJdDtw5ovzls0Gor4sb69KJ+3xrRLg2C7cndd+3RJc8SCiCRUV9QE2IHTb
H3cDXlNbYcqzDxQZNUUO13+GOEgXQLrIJokA3zNXzzYFr2tivmiWF6rKrJ6UnECl
86tpZfh4vcosv3nN6Cg9VAizrMm/84B4L3T4jm/mrN4SGg3CSJqa03r7ig3+oHFX
H9jzBVxbmuk=
=jp7z
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-3140:01 Moderate: Red Hat Fuse 7.9.0 release and security

A minor version update (from 7.8 to 7.9) is now available for Red Hat Fuse

Summary

This release of Red Hat Fuse 7.9.0 serves as a replacement for Red Hat Fuse 7.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* hawtio-osgi (CVE-2017-5645)
* prometheus-jmx-exporter: snakeyaml (CVE-2017-18640)
* apache-commons-compress (CVE-2019-12402)
* karaf-transaction-manager-narayana: netty (CVE-2019-16869, CVE-2019-20445)
* tomcat (CVE-2020-1935, CVE-2020-1938, CVE-2020-9484, CVE-2020-13934, CVE-2020-13935, CVE-2020-11996)
* spring-cloud-config-server (CVE-2020-5410)
* velocity (CVE-2020-13936)
* httpclient: apache-httpclient (CVE-2020-13956)
* shiro-core: shiro (CVE-2020-17510)
* hibernate-core (CVE-2020-25638)
* wildfly-openssl (CVE-2020-25644)
* jetty (CVE-2020-27216, CVE-2021-28165)
* bouncycastle (CVE-2020-28052)
* wildfly (CVE-2019-14887, CVE-2020-25640)
* resteasy-jaxrs: resteasy (CVE-2020-1695)
* camel-olingo4 (CVE-2020-1925)
* springframework (CVE-2020-5421)
* jsf-impl: Mojarra (CVE-2020-6950)
* resteasy (CVE-2020-10688)
* hibernate-validator (CVE-2020-10693)
* wildfly-elytron (CVE-2020-10714)
* undertow (CVE-2020-10719)
* activemq (CVE-2020-13920)
* cxf-core: cxf (CVE-2020-13954)
* fuse-apicurito-operator-container: golang.org/x/text (CVE-2020-14040)
* jboss-ejb-client: wildfly (CVE-2020-14297)
* xercesimpl: wildfly (CVE-2020-14338)
* xnio (CVE-2020-14340)
* flink: apache-flink (CVE-2020-17518)
* resteasy-client (CVE-2020-25633)
* xstream (CVE-2020-26258)
* mybatis (CVE-2020-26945)
* pdfbox (CVE-2021-27807, CVE-2021-27906)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying the update, back up your existing installation, includingall applications, configuration files, databases and database settings, andso on.Installation instructions are available from the Fuse 7.9.0 productdocumentation page:https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/

References

https://access.redhat.com/security/cve/CVE-2017-5645 https://access.redhat.com/security/cve/CVE-2017-18640 https://access.redhat.com/security/cve/CVE-2019-12402 https://access.redhat.com/security/cve/CVE-2019-14887 https://access.redhat.com/security/cve/CVE-2019-16869 https://access.redhat.com/security/cve/CVE-2019-20445 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1925 https://access.redhat.com/security/cve/CVE-2020-1935 https://access.redhat.com/security/cve/CVE-2020-1938 https://access.redhat.com/security/cve/CVE-2020-5410 https://access.redhat.com/security/cve/CVE-2020-5421 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/cve/CVE-2020-10688 https://access.redhat.com/security/cve/CVE-2020-10693 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10719 https://access.redhat.com/security/cve/CVE-2020-11996 https://access.redhat.com/security/cve/CVE-2020-13920 https://access.redhat.com/security/cve/CVE-2020-13934 https://access.redhat.com/security/cve/CVE-2020-13935 https://access.redhat.com/security/cve/CVE-2020-13936 https://access.redhat.com/security/cve/CVE-2020-13954 https://access.redhat.com/security/cve/CVE-2020-13956 https://access.redhat.com/security/cve/CVE-2020-14040 https://access.redhat.com/security/cve/CVE-2020-14297 https://access.redhat.com/security/cve/CVE-2020-14338 https://access.redhat.com/security/cve/CVE-2020-14340 https://access.redhat.com/security/cve/CVE-2020-17510 https://access.redhat.com/security/cve/CVE-2020-17518 https://access.redhat.com/security/cve/CVE-2020-25633 https://access.redhat.com/security/cve/CVE-2020-25638 https://access.redhat.com/security/cve/CVE-2020-25640 https://access.redhat.com/security/cve/CVE-2020-25644 https://access.redhat.com/security/cve/CVE-2020-26258 https://access.redhat.com/security/cve/CVE-2020-26945 https://access.redhat.com/security/cve/CVE-2020-27216 https://access.redhat.com/security/cve/CVE-2020-28052 https://access.redhat.com/security/cve/CVE-2021-27807 https://access.redhat.com/security/cve/CVE-2021-27906 https://access.redhat.com/security/cve/CVE-2021-28165 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.fuse&version=7.9.0 https://access.redhat.com/documentation/en-us/red_hat_fuse/7.9/

Package List

Severity
Advisory ID: RHSA-2021:3140-01
Product: Red Hat JBoss Fuse
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3140
Issued Date: : 2021-08-11
CVE Names: CVE-2017-5645 CVE-2017-18640 CVE-2019-12402 CVE-2019-14887 CVE-2019-16869 CVE-2019-20445 CVE-2020-1695 CVE-2020-1925 CVE-2020-1935 CVE-2020-1938 CVE-2020-5410 CVE-2020-5421 CVE-2020-6950 CVE-2020-9484 CVE-2020-10688 CVE-2020-10693 CVE-2020-10714 CVE-2020-10719 CVE-2020-11996 CVE-2020-13920 CVE-2020-13934 CVE-2020-13935 CVE-2020-13936 CVE-2020-13954 CVE-2020-13956 CVE-2020-14040 CVE-2020-14297 CVE-2020-14338 CVE-2020-14340 CVE-2020-17510 CVE-2020-17518 CVE-2020-25633 CVE-2020-25638 CVE-2020-25640 CVE-2020-25644 CVE-2020-26258 CVE-2020-26945 CVE-2020-27216 CVE-2020-28052 CVE-2021-27807 CVE-2021-27906 CVE-2021-28165

Topic

A minor version update (from 7.8 to 7.9) is now available for Red Hat Fuse.The purpose of this text-only errata is to inform you about the securityissues fixed in this release.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability

1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class

1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers

1764640 - CVE-2019-12402 apache-commons-compress: Infinite loop in name encoding algorithm

1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use

1785376 - CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature

1790309 - CVE-2020-1925 olingo-odata: Server side request forgery in AsyncResponseWrapperImpl

1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header

1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371

1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages

1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability

1806835 - CVE-2020-1935 tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling

1814974 - CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack

1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication

1828459 - CVE-2020-10719 undertow: invalid HTTP request with large chunk size

1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE

1845626 - CVE-2020-5410 spring-cloud-config-server: sending a request using a specially crafted URL can lead to a directory traversal attack

1851420 - CVE-2020-11996 tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS

1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service

1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash

1857024 - CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS

1857040 - CVE-2020-13934 tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS

1860054 - CVE-2020-14338 wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl

1860218 - CVE-2020-14340 xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS

1879042 - CVE-2020-25633 resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling

1880101 - CVE-2020-13920 activemq: improper authentication allows MITM attack

1881158 - CVE-2020-5421 springframework: RFD protection bypass via jsessionid

1881353 - CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used

1881637 - CVE-2020-25640 wildfly: resource adapter logs plaintext JMS password at warning level on connection error

1885485 - CVE-2020-25644 wildfly-openssl: memory leak per HTTP session creation in WildFly OpenSSL

1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs

1887257 - CVE-2020-26945 mybatis: mishandles deserialization of object streams which could result in remote code execution

1891132 - CVE-2020-27216 jetty: local temporary directory hijacking vulnerability

1898235 - CVE-2020-13954 cxf: XSS via the styleSheetPath

1903727 - CVE-2020-17510 shiro: specially crafted HTTP request may cause an authentication bypass

1908832 - CVE-2020-26258 XStream: Server-Side Forgery Request vulnerability can be activated when unmarshalling

1912881 - CVE-2020-28052 bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible

1913312 - CVE-2020-17518 apache-flink: directory traversal attack allows remote file writing through the REST API

1937440 - CVE-2020-13936 velocity: arbitrary code execution when attacker is able to modify templates

1941050 - CVE-2021-27906 pdfbox: OutOfMemory-Exception while loading a crafted PDF file

1941055 - CVE-2021-27807 pdfbox: infinite loop while loading a crafted PDF file

1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.