RHSA-2020:3192HighCVSS 9.0

Red Hat Security Advisory: Red Hat Fuse 7.7.0 release and security update

Published
July 28, 2020
Last Modified
June 27, 2026

🔗 CVE IDs covered (49)

📋 Description

CVE-2016-4970 — netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl CVE-2018-3831 — elasticsearch: Information exposure via _cluster/settings API CVE-2018-11797 — pdfbox: unbounded computation in parser resulting in a denial of service CVE-2018-12541 — vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake CVE-2018-1000632 — dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents CVE-2019-0231 — mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure. CVE-2019-3797 — spring-data-jpa: Additional information exposure with Spring Data JPA derived queries CVE-2019-9511 — HTTP/2: large amount of data requests leads to denial of service CVE-2019-9827 — hawtio: server side request forgery via initial /proxy/ substring of a URI CVE-2019-10086 — apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default CVE-2019-10172 — jackson-mapper-asl: XML external entity similar to CVE-2016-3720 CVE-2019-12086 — jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. CVE-2019-12400 — xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source CVE-2019-12419 — cxf: OpenId Connect token service does not properly validate the clientId CVE-2019-14540 — jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig CVE-2019-14888 — undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS CVE-2019-14892 — jackson-databind: Serialization gadgets in classes of the commons-configuration package CVE-2019-14893 — jackson-databind: Serialization gadgets in classes of the xalan package CVE-2019-16335 — jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource CVE-2019-16942 — jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* CVE-2019-16943 — jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource CVE-2019-17267 — jackson-databind: Serialization gadgets in classes of the ehcache package CVE-2019-17531 — jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* CVE-2019-17573 — cxf: reflected XSS in the services listing page CVE-2019-20330 — jackson-databind: lacks certain net.sf.ehcache blocking CVE-2019-20444 — netty: HTTP request smuggling CVE-2019-20445 — netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header CVE-2020-1745 — undertow: AJP File Read/Inclusion Vulnerability CVE-2020-1757 — undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass CVE-2020-1953 — apache-commons-configuration: uncontrolled class instantiation when loading YAML files CVE-2020-7238 — netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling CVE-2020-8840 — jackson-databind: Lacks certain xbean-reflect/JNDI blocking CVE-2020-9546 — jackson-databind: Serialization gadgets in shaded-hikari-config CVE-2020-9547 — jackson-databind: Serialization gadgets in ibatis-sqlmap CVE-2020-9548 — jackson-databind: Serialization gadgets in anteros-core CVE-2020-10672 — jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution CVE-2020-10673 — jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution CVE-2020-10687 — Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests CVE-2020-10968 — jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider CVE-2020-10969 — jackson-databind: Serialization gadgets in javax.swing.JEditorPane CVE-2020-11111 — jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory CVE-2020-11112 — jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider CVE-2020-11113 — jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime CVE-2020-11619 — jackson-databind: Serialization gadgets in org.springframework:spring-aop CVE-2020-11620 — jackson-databind: Serialization gadgets in commons-jelly:commons-jelly CVE-2020-14060 — jackson-databind: serialization in oadd.org.apache.xalan.lib.sql.JNDIConnectionPool CVE-2020-14061 — jackson-databind: serialization in weblogic/oracle-aqjms CVE-2020-14062 — jackson-databind: serialization in com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool CVE-2020-14195 — jackson-databind: serialization in org.jsecurity.realm.jndi.JndiRealmFactory

🔗 References (52)