Red Hat Fuse 7.12 Critical Advisory: RHSA-2023-3954-01 Security Issues

This release of Red Hat Fuse 7.12 serves as a replacement for Red Hat Fuse 7.11 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.
Security Fix(es):
* hazelcast: Hazelcast connection caching (CVE-2022-36437)
* spring-security: Authorization rules can be bypassed via forward or include dispatcher types in Spring Security (CVE-2022-31692)
* xstream: Denial of Service by injecting recursive collections or maps based on element's hash values raising a stack overflow (CVE-2022-41966)
* Apache-Commons-BCEL: arbitrary bytecode produced via out-of-bounds writing (CVE-2022-42920)
* Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)
* json-smart: Uncontrolled Resource Consumption vulnerability in json-smart (Resource Exhaustion) (CVE-2023-1370)
* springframework: Security Bypass With Un-Prefixed Double Wildcard Pattern (CVE-2023-20860)
* spring-boot: Spring Boot Welcome Page DoS Vulnerability (CVE-2023-20883)
* jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name (CVE-2012-5783)
* apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)
* undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* batik: Server-Side Request Forgery (CVE-2022-38398)
* batik: Server-Side Request Forgery (CVE-2022-38648)
* batik: Server-Side Request Forgery (SSRF) vulnerability (CVE-2022-40146)
* batik: Apache XML Graphics Batik vulnerable to code execution via SVG (CVE-2022-41704)
* dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)
* codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)
* engine.io: Specially crafted HTTP request can trigger an uncaught exception (CVE-2022-41940)
* postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions (CVE-2022-41946)
* batik: Untrusted code execution in Apache XML Graphics Batik (CVE-2022-42890)
* Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)
* shiro: Authentication bypass through a specially crafted HTTP request (CVE-2023-22602)
* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)
* tomcat: JsonErrorReportValve injection (CVE-2022-45143)
For more details about the security issues, including the impact, CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.