Chapter 7. Fixed CVEs
-
CVE-2018-7489:
jackson-databind
: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries -
CVE-2018-1000632:
dom4j
: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents -
CVE-2019-9511:
undertow
: HTTP/2: large amount of data requests leads to denial of service -
CVE-2019-9512:
undertow
: HTTP/2: flood using PING frames results in unbounded memory growth -
CVE-2019-9514:
undertow
: HTTP/2: flood using HEADERS frames results in unbounded memory growth -
CVE-2019-9515:
undertow
: HTTP/2: flood using SETTINGS frames results in unbounded memory growth -
CVE-2019-10219:
hibernate-validator
: safeHTML validator allows XSS -
CVE-2019-19343:
undertow
: Memory Leak in Undertow HttpOpenListener due to holding remoting connections indefinitely -
CVE-2019-14838:
wildfly-core
: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default -
CVE-2019-14885:
JBoss EAP
: Vault system property security attribute value is revealed on CLI 'reload' command -
CVE-2019-16869:
netty
: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers -
CVE-2019-16942:
jackson-databind
: Serialization gadgets in classes of the commons-dbcp package -
CVE-2019-16943:
jackson-databind
: Serialization gadgets in classes of the commons-dbcp package