Red Hat Security Advisory: Red Hat Fuse 7.8.0 release and security update

CVE-2018-1000873 — jackson-modules-java8: DoS due to an Improper Input Validation CVE-2019-0205 — thrift: Endless loop when feed with specific input data CVE-2019-0210 — thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol CVE-2019-2692 — mysql-connector-java: privilege escalation in MySQL connector CVE-2019-3773 — spring-ws: XML External Entity Injection (XXE) when receiving XML data from untrusted sources CVE-2019-3774 — spring-batch: XML External Entity Injection (XXE) when receiving XML data from untrusted sources CVE-2019-10202 — codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities CVE-2019-10219 — hibernate-validator: safeHTML validator allows XSS CVE-2019-10768 — AngularJS: Prototype pollution in merge function could result in code injection CVE-2019-11777 — org.eclipse.paho.client.mqttv3: Improper hostname validation in the MQTT library CVE-2019-12406 — cxf: does not restrict the number of message attachments CVE-2019-12423 — cxf: OpenId Connect token service does not properly validate the clientId CVE-2019-13990 — libquartz: XXE attacks via job description CVE-2019-14900 — hibernate: SQL injection issue in Hibernate ORM CVE-2019-17566 — batik: SSRF via "xlink:href" CVE-2019-17638 — jetty: double release of resource can lead to information disclosure CVE-2019-19343 — Undertow: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely CVE-2020-1714 — keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution CVE-2020-1719 — Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain CVE-2020-1950 — tika: excessive memory usage in PSDParser CVE-2020-1960 — apache-flink: JMX information disclosure vulnerability CVE-2020-5398 — springframework: RFD attack via Content-Disposition Header sourced from request input by Spring MVC or Spring WebFlux Application CVE-2020-5410 — spring-cloud-config-server: sending a request using a specially crafted URL can lead to a directory traversal attack CVE-2020-7226 — cryptacular: excessive memory allocation during a decode operation CVE-2020-7676 — nodejs-angular: XSS due to regex-based HTML replacement CVE-2020-9488 — log4j: improper validation of certificate with host mismatch in SMTP appender CVE-2020-9489 — tika-core: Denial of Service Vulnerabilities in Some of Apache Tika's Parsers CVE-2020-10683 — dom4j: XML External Entity vulnerability in default SAX parser CVE-2020-10740 — wildfly: unsafe deserialization in Wildfly Enterprise Java Beans CVE-2020-11612 — netty: compression/decompression codecs don't enforce limits on buffer allocation sizes CVE-2020-11971 — camel: DNS Rebinding in JMX Connector could result in remote command execution CVE-2020-11972 — camel: RabbitMQ enables Java deserialization by default which could leed to remote code execution CVE-2020-11973 — camel: Netty enables Java deserialization by default which could leed to remote code execution CVE-2020-11980 — karaf: A remote client could create MBeans from arbitrary URLs CVE-2020-11989 — shiro: spring dynamic controllers, a specially crafted request may cause an authentication bypass CVE-2020-11994 — camel: server-side template injection and arbitrary file disclosure on templating components CVE-2020-13692 — postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML CVE-2020-13933 — shiro: specially crafted HTTP request may cause an authentication bypass CVE-2020-14326 — RESTEasy: Caching routes in RootNode may result in DoS