RHSA-2022:5532HighCVSS 9.8

Red Hat Security Advisory: Red Hat Fuse 7.11.0 release and security update

Published
July 7, 2022
Last Modified
June 26, 2026

🔗 CVE IDs covered (58)

📋 Description

CVE-2020-7020 — elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure CVE-2020-9484 — tomcat: deserialization flaw in session persistence storage leading to RCE CVE-2020-15250 — junit4: TemporaryFolder is shared between all users across system which could result in information disclosure CVE-2020-25689 — wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller CVE-2020-29582 — kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure CVE-2020-36518 — jackson-databind: denial of service via a large depth of nested objects CVE-2021-2471 — mysql-connector-java: unauthorized access to critical CVE-2021-3629 — undertow: potential security issue in flow control over HTTP/2 may lead to DOS CVE-2021-3642 — wildfly-elytron: possible timing attack in ScramServer CVE-2021-3644 — wildfly-core: Invalid Sensitivity Classification of Vault Expression CVE-2021-3807 — nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes CVE-2021-3859 — undertow: client side invocation timeout raised when calling over HTTP2 CVE-2021-4178 — kubernetes-client: Insecure deserialization in unmarshalYaml method CVE-2021-22060 — springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096) CVE-2021-22096 — springframework: malicious input leads to insertion of additional log entries CVE-2021-22119 — spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request CVE-2021-22569 — protobuf-java: potential DoS in the parsing procedure for binary data CVE-2021-22573 — google-oauth-client: Token signature not verified CVE-2021-24122 — tomcat: Information disclosure when using NTFS file system CVE-2021-25122 — tomcat: Request mix-up with h2c CVE-2021-25329 — tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence) CVE-2021-29505 — XStream: remote command execution attack by manipulating the processed input stream CVE-2021-30640 — tomcat: JNDI realm authentication weakness CVE-2021-33037 — tomcat: HTTP request smuggling when used with a reverse proxy CVE-2021-33813 — jdom: XXE allows attackers to cause a DoS via a crafted HTTP request CVE-2021-35515 — apache-commons-compress: infinite loop when reading a specially crafted 7Z archive CVE-2021-35516 — apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive CVE-2021-35517 — apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive CVE-2021-36090 — apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive CVE-2021-38153 — Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients CVE-2021-40690 — xml-security: XPath Transform abuse allows for information disclosure CVE-2021-41079 — tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine CVE-2021-41766 — karaf: insecure java deserialization CVE-2021-42340 — tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS CVE-2021-42550 — logback: remote code execution through JNDI call from within its configuration file CVE-2021-43797 — netty: control chars in header names may lead to HTTP request smuggling CVE-2021-43859 — xstream: Injecting highly recursive collections or maps can cause a DoS CVE-2022-0084 — xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr CVE-2022-1259 — undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) CVE-2022-1319 — undertow: Double AJP response for 400 from EAP 7 results in CPING failures CVE-2022-21363 — mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors CVE-2022-21724 — jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes CVE-2022-22932 — karaf: path traversal flaws CVE-2022-22950 — spring-expression: Denial of service via specially crafted SpEL expression CVE-2022-22968 — Framework: Data Binding Rules Vulnerability CVE-2022-22970 — springframework: DoS via data binding to multipartFile or servlet part CVE-2022-22971 — springframework: DoS with STOMP over WebSocket CVE-2022-22976 — springframework: BCrypt skips salt rounds for work factor of 31 CVE-2022-22978 — springframework: Authorization Bypass in RegexRequestMatcher CVE-2022-23181 — tomcat: local privilege escalation vulnerability CVE-2022-23221 — h2: Loading of custom classes from remote servers through JNDI CVE-2022-23596 — junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting CVE-2022-23913 — artemis-commons: Apache ActiveMQ Artemis DoS CVE-2022-24614 — metadata-extractor: Out-of-memory when reading a specially crafted JPEG file CVE-2022-25845 — fastjson: autoType shutdown restriction bypass leads to deserialization CVE-2022-26336 — poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception CVE-2022-26520 — postgresql-jdbc: Arbitrary File Write Vulnerability CVE-2022-30126 — tika-core: Regular Expression Denial of Service in standards extractor

🔗 References (63)