VAR-202003-1779
Vulnerability from variot - Updated: 2026-04-10 23:35FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. jackson-databind is one of the components with data binding function. A security vulnerability exists in FasterXML jackson-databind 2.x prior to 2.9.10.4 due to insecure deserialization by org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aries.transaction.jms) . A remote attacker could exploit this vulnerability with specially crafted input to execute arbitrary code on the system. Description:
Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. Summary:
This is a security update for JBoss EAP Continuous Delivery 19. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Security Fix(es):
-
netty (CVE-2016-4970 CVE-2020-7238 CVE-2019-20444 CVE-2019-20445)
-
dom4j (CVE-2018-1000632)
-
elasticsearch (CVE-2018-3831)
-
pdfbox (CVE-2018-11797)
-
vertx (CVE-2018-12541)
-
spring-data-jpa (CVE-2019-3797)
-
mina-core (CVE-2019-0231)
-
jackson-databind (CVE-2019-12086 CVE-2019-16335 CVE-2019-14540 CVE-2019-17267 CVE-2019-14892 CVE-2019-14893 CVE-2019-16942 CVE-2019-16943 CVE-2019-17531 CVE-2019-20330 CVE-2020-10673 CVE-2020-10672 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10968 CVE-2020-10969 CVE-2020-11111 CVE-2020-11112 CVE-2020-11113 CVE-2020-11620 CVE-2020-11619 CVE-2020-14195 CVE-2020-14060 CVE-2020-14061 CVE-2020-14062)
-
jackson-mapper-asl (CVE-2019-10172)
-
hawtio (CVE-2019-9827)
-
undertow (CVE-2019-9511 CVE-2020-1757 CVE-2019-14888 CVE-2020-1745)
-
santuario (CVE-2019-12400)
-
apache-commons-beanutils (CVE-2019-10086)
-
cxf (CVE-2019-17573)
-
apache-commons-configuration (CVE-2020-1953)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Installation instructions are available from the Fuse 7.7.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.7/
- Bugs fixed (https://bugzilla.redhat.com/):
1343616 - CVE-2016-4970 netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl 1620529 - CVE-2018-1000632 dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents 1632452 - CVE-2018-3831 elasticsearch: Information exposure via _cluster/settings API 1637492 - CVE-2018-11797 pdfbox: unbounded computation in parser resulting in a denial of service 1638391 - CVE-2018-12541 vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake 1697598 - CVE-2019-3797 spring-data-jpa: Additional information exposure with Spring Data JPA derived queries 1700016 - CVE-2019-0231 mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure. 1713468 - CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.2 security update Advisory ID: RHSA-2020:3463-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:3463 Issue date: 2020-08-17 CVE Names: CVE-2019-14900 CVE-2020-1710 CVE-2020-1748 CVE-2020-10672 CVE-2020-10673 CVE-2020-10683 CVE-2020-10687 CVE-2020-10693 CVE-2020-10714 CVE-2020-10718 CVE-2020-10740 CVE-2020-14297 ==================================================================== 1. Summary:
An update is now available for Red Hat JBoss Enterprise Application Platform 7.3 for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch
- Description:
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform 7.3.2 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.3.1 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.3.2 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API (CVE-2020-10718)
-
dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
-
wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)
-
wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests (CVE-2020-10687)
-
jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673)
-
hibernate-core: hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
-
wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)
-
jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672)
-
undertow: EAP: field-name is not parsed in accordance to RFC7230 (CVE-2020-1710)
-
hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
-
wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)
-
wildfly: Some EJB transaction objects may get accumulated causing Denial of Service (CVE-2020-14297)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.
- Solution:
Before applying this update, ensure all previously released errata relevant to your system have been applied.
For details about how to apply this update, see:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM 1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser 1785049 - CVE-2020-10687 Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests 1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230 1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages 1807707 - CVE-2020-1748 Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain 1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication 1828476 - CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API 1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans 1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-18793 - GSS Upgrade Hibernate ORM from 5.3.16 to 5.3.17 JBEAP-19095 - GSS Upgrade wildfly-http-client from 1.0.20 to 1.0.21 JBEAP-19134 - (7.3.z) Upgrade HAL from 3.2.8.Final-redhat-00001 to 3.2.9.Final JBEAP-19185 - (7.3.z) Upgrade IronJacamar from 1.4.20.Final to 1.4.22.Final JBEAP-19203 - (7.3.z) WFCORE-4850 - Updating mockserver to 5.9.0. Exclusion of dependency from xom.io7m JBEAP-19205 - (7.3.z) Upgrade WildFly Core from 10.1.5.Final-redhat-00001 to 10.1.x JBEAP-19269 - GSS Upgrade jboss-logmanager from 2.1.14.Final to 2.1.15.Final JBEAP-19322 - (7.3.z) Upgrade XNIO from 3.7.7 to 3.7.8.SP1 JBEAP-19325 - (7.3.z) Upgrade Infinispan from 9.4.18.Final-redhat-00001 to 9.4.19.Final-redhat-00001 JBEAP-19397 - (7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP09-redhat-00001 to 2.3.9.SP11-redhat-00001 JBEAP-19410 - Tracker bug for the EAP 7.3.2 release for RHEL-7 JBEAP-19411 - Tracker bug for the EAP 7.3.2 release for RHEL-8 JBEAP-19529 - (7.3.z) Update PR template to include PR-processor hints. JBEAP-19564 - GSS Upgrade jboss-ejb-client from 4.0.31.Final-redhat-00001 to 4.0.33.Final-redhat-00001 JBEAP-19585 - GSS Upgrade org.jboss.genericjms from 2.0.4 to 2.0.6 JBEAP-19617 - (7.3.z) Upgrade wildfly-naming-client from 1.0.12.Final-redhat-00001 to 1.0.13.Final-redhat-00001 JBEAP-19619 - (7.3.z) Upgrade JBoss JSF API from 3.0.0.SP02-redhat-00001 to 3.0.0.SP04-redhat-00001 JBEAP-19673 - (7.3.z) [WFCORE] Upgrade WildFly Common to 1.5.2.Final JBEAP-19674 - (7.3.z) [WFCORE] Upgrade galleon and wildfly-galleon-plugins from 4.1.2.Final to 4.2.4.Final JBEAP-19874 - GSS Upgrade wildfly-http-client from 1.0.21.Final-redhat-00001 to 1.0.22.Final-redhat-00001
- Package List:
Red Hat JBoss EAP 7.3 for BaseOS-8:
Source: eap7-dom4j-2.1.3-1.redhat_00001.1.el8eap.src.rpm eap7-elytron-web-1.6.2-1.Final_redhat_00001.1.el8eap.src.rpm eap7-glassfish-jsf-2.3.9-11.SP11_redhat_00001.1.el8eap.src.rpm eap7-hal-console-3.2.9-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el8eap.src.rpm eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el8eap.src.rpm eap7-infinispan-9.4.19-1.Final_redhat_00001.1.el8eap.src.rpm eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jackson-annotations-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-core-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-databind-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-jaxrs-providers-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-modules-base-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jackson-modules-java8-2.10.4-1.redhat_00001.1.el8eap.src.rpm eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP04_redhat_00001.1.el8eap.src.rpm eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el8eap.src.rpm eap7-jboss-server-migration-1.7.1-7.Final_redhat_00009.1.el8eap.src.rpm eap7-jboss-xnio-base-3.7.8-1.SP1_redhat_00001.1.el8eap.src.rpm eap7-netty-4.1.48-1.Final_redhat_00001.1.el8eap.src.rpm eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el8eap.src.rpm eap7-wildfly-7.3.2-4.GA_redhat_00002.1.el8eap.src.rpm eap7-wildfly-common-1.5.2-1.Final_redhat_00002.1.el8eap.src.rpm eap7-wildfly-elytron-1.10.7-1.Final_redhat_00001.1.el8eap.src.rpm eap7-wildfly-http-client-1.0.22-1.Final_redhat_00001.1.el8eap.src.rpm
noarch: eap7-dom4j-2.1.3-1.redhat_00001.1.el8eap.noarch.rpm eap7-glassfish-jsf-2.3.9-11.SP11_redhat_00001.1.el8eap.noarch.rpm eap7-hal-console-3.2.9-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-core-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-entitymanager-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-envers-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-java8-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-hibernate-validator-cdi-6.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-jdbc-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-cachestore-remote-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-client-hotrod-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-commons-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-core-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-commons-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-spi-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-infinispan-hibernate-cache-v53-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-api-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-api-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-ironjacamar-validator-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jackson-annotations-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-core-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-databind-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-datatype-jdk8-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-datatype-jsr310-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-jaxrs-base-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-jaxrs-json-provider-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-module-jaxb-annotations-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-modules-base-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jackson-modules-java8-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP04_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-jboss-server-migration-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-cli-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-core-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-eap7.3-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly15.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly16.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly17.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly18.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm eap7-jboss-xnio-base-3.7.8-1.SP1_redhat_00001.1.el8eap.noarch.rpm eap7-netty-4.1.48-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-netty-all-4.1.48-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el8eap.noarch.rpm eap7-undertow-server-1.6.2-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-7.3.2-4.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-common-1.5.2-1.Final_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-elytron-1.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-elytron-tool-1.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-client-common-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-wildfly-javadocs-7.3.2-4.GA_redhat_00002.1.el8eap.noarch.rpm eap7-wildfly-modules-7.3.2-4.GA_redhat_00002.1.el8eap.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2019-14900 https://access.redhat.com/security/cve/CVE-2020-1710 https://access.redhat.com/security/cve/CVE-2020-1748 https://access.redhat.com/security/cve/CVE-2020-10672 https://access.redhat.com/security/cve/CVE-2020-10673 https://access.redhat.com/security/cve/CVE-2020-10683 https://access.redhat.com/security/cve/CVE-2020-10687 https://access.redhat.com/security/cve/CVE-2020-10693 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10718 https://access.redhat.com/security/cve/CVE-2020-10740 https://access.redhat.com/security/cve/CVE-2020-14297 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXzqIgdzjgjWX9erEAQhAaw//ceEP1X/GXLqWVwEDOZhjR4akb8iOZC4P H8bYYEtAq7LHOTzfor0D1PsShzOfF6UjhpRYYhaFZN80Fs3cc27Pqk5MnF4qfdAf FnzZ/ze5jlclBPK+eSmGPvYCeuMK9EF+fRETRUOj0rdu3M1CLYUV1LNxOZk48Uen KRWbBEW8BzuYYUf+24ly76siqTZCW5oI+ZsMhuUqyUwxzu61uDL0nMYnOS+WZPL0 xBafLiCZ1xc0pykIuqzqHPy+cvxCqkyXDJ5cOV16jeXhp5lNB0yk0LzQnck/+wKc RJtl/ySiuUUXH/p5FY9tAphgqvA7Plh0SpsvF0/UUsQIeqoZzx2Xr295OFUSOb26 rebOBTDbky9zFWFXtRvnSo4cadQhYgemOkkKuX9NaQemyBRitvIjk0ZOw0cOtXdW 5UecnSYFC5U46VzSNmPosuTkodyA20GJDxFX9v/iRP8wbsG0IpJz/1G1DMSk1+ba oOtpxQxzuCOqhEVubkfgt0BbU4XgbYzBkKnfxfSaNVDpCCi1hCnHPC6gWR//jbP2 qEy5MmbO8Sksn16fDgBTQ/g8YATe6pa7Q5DnIe+l+0thzm8kf3l9TG+YRKjoxtSV FwlVApI2o6Ebse7EPr96Ior5xMirxVML2rKgzQc7cG2s7gXvQ2NVkC0vCGdmGUGc zQFgGc2abfE=qmbe -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce .
The References section of this erratum contains a download link (you must log in to download the update).
The JBoss server process must be restarted for the update to take effect
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "communications contacts server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0.4.0"
},
{
"_id": null,
"model": "communications network charging and control",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "12.0.3"
},
{
"_id": null,
"model": "communications session route manager",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.0"
},
{
"_id": null,
"model": "financial services analytical applications infrastructure",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.6"
},
{
"_id": null,
"model": "primavera unifier",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "17.12"
},
{
"_id": null,
"model": "primavera unifier",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.1"
},
{
"_id": null,
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "15.0"
},
{
"_id": null,
"model": "financial services analytical applications infrastructure",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.1.0"
},
{
"_id": null,
"model": "jd edwards enterpriseone tools",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "9.2.4.2"
},
{
"_id": null,
"model": "communications evolved communications application server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7.1"
},
{
"_id": null,
"model": "communications session route manager",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.2"
},
{
"_id": null,
"model": "retail sales audit",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.1"
},
{
"_id": null,
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.0"
},
{
"_id": null,
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18.0"
},
{
"_id": null,
"model": "financial services institutional performance analytics",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.6"
},
{
"_id": null,
"model": "insurance policy administration j2ee",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.1.0.15"
},
{
"_id": null,
"model": "banking digital experience",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18.1"
},
{
"_id": null,
"model": "global lifecycle management opatch",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.0.1.20"
},
{
"_id": null,
"model": "retail merchandising system",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "15.0"
},
{
"_id": null,
"model": "financial services price creation and discovery",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.7"
},
{
"_id": null,
"model": "linux",
"scope": "eq",
"trust": 1.0,
"vendor": "debian",
"version": "8.0"
},
{
"_id": null,
"model": "banking platform",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "2.9.0"
},
{
"_id": null,
"model": "banking digital experience",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "20.1"
},
{
"_id": null,
"model": "jackson-databind",
"scope": "lt",
"trust": 1.0,
"vendor": "fasterxml",
"version": "2.9.10.4"
},
{
"_id": null,
"model": "communications session report manager",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.0"
},
{
"_id": null,
"model": "communications instant messaging server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "10.0.1.4.0"
},
{
"_id": null,
"model": "banking digital experience",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18.2"
},
{
"_id": null,
"model": "steelstore cloud integrated storage",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"_id": null,
"model": "communications session report manager",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.2"
},
{
"_id": null,
"model": "jd edwards enterpriseone orchestrator",
"scope": "lt",
"trust": 1.0,
"vendor": "oracle",
"version": "9.2.4.2"
},
{
"_id": null,
"model": "primavera unifier",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.2"
},
{
"_id": null,
"model": "primavera unifier",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18.8"
},
{
"_id": null,
"model": "retail service backbone",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "15.0"
},
{
"_id": null,
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.0"
},
{
"_id": null,
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.4.0.0"
},
{
"_id": null,
"model": "communications element manager",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.0"
},
{
"_id": null,
"model": "financial services institutional performance analytics",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.1.0"
},
{
"_id": null,
"model": "communications element manager",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.2"
},
{
"_id": null,
"model": "insurance policy administration j2ee",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.0.2.25"
},
{
"_id": null,
"model": "agile plm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "9.3.6"
},
{
"_id": null,
"model": "banking digital experience",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.2"
},
{
"_id": null,
"model": "communications contacts server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0.5.0"
},
{
"_id": null,
"model": "primavera unifier",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "17.7"
},
{
"_id": null,
"model": "autovue for agile product lifecycle management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "21.0.2"
},
{
"_id": null,
"model": "weblogic server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"_id": null,
"model": "primavera unifier",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.12"
},
{
"_id": null,
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.0"
},
{
"_id": null,
"model": "weblogic server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"_id": null,
"model": "financial services price creation and discovery",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.6"
},
{
"_id": null,
"model": "banking digital experience",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.1"
},
{
"_id": null,
"model": "communications network charging and control",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "6.0.1"
},
{
"_id": null,
"model": "retail service backbone",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.1"
},
{
"_id": null,
"model": "communications diameter signaling router",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.2"
},
{
"_id": null,
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.3.0.0"
},
{
"_id": null,
"model": "retail service backbone",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.0"
},
{
"_id": null,
"model": "financial services retail customer analytics",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.6"
},
{
"_id": null,
"model": "financial services institutional performance analytics",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.7"
},
{
"_id": null,
"model": "communications diameter signaling router",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0"
},
{
"_id": null,
"model": "jackson-databind",
"scope": "gte",
"trust": 1.0,
"vendor": "fasterxml",
"version": "2.9.0"
},
{
"_id": null,
"model": "communications calendar server",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0.4.0"
},
{
"_id": null,
"model": "banking platform",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "2.4.0"
},
{
"_id": null,
"model": "banking digital experience",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18.3"
},
{
"_id": null,
"model": "communications network charging and control",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "12.0.0"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10672"
}
]
},
"credits": {
"_id": null,
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "158650"
},
{
"db": "PACKETSTORM",
"id": "157859"
},
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "158636"
},
{
"db": "PACKETSTORM",
"id": "158891"
},
{
"db": "PACKETSTORM",
"id": "159080"
},
{
"db": "PACKETSTORM",
"id": "158881"
},
{
"db": "PACKETSTORM",
"id": "159082"
}
],
"trust": 0.8
},
"cve": "CVE-2020-10672",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2020-10672",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.0,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-163174",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 2.8,
"id": "CVE-2020-10672",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 2.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-10672",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"id": "CVE-2020-10672",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-163174",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-163174"
},
{
"db": "NVD",
"id": "CVE-2020-10672"
},
{
"db": "NVD",
"id": "CVE-2020-10672"
}
]
},
"description": {
"_id": null,
"data": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms). FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. jackson-databind is one of the components with data binding function. A security vulnerability exists in FasterXML jackson-databind 2.x prior to 2.9.10.4 due to insecure deserialization by org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aries.transaction.jms) . A remote attacker could exploit this vulnerability with specially crafted input to execute arbitrary code on the system. Description:\n\nRed Hat Decision Manager is an open source decision management platform\nthat combines business rules management, complex event processing, Decision\nModel \u0026 Notation (DMN) execution, and Business Optimizer for solving\nplanning problems. It automates business decisions and makes that logic\navailable to the entire business. Summary:\n\nThis is a security update for JBoss EAP Continuous Delivery 19. \nThe purpose of this text-only errata is to inform you about the security\nissues fixed in this release. \n\nSecurity Fix(es):\n\n* netty (CVE-2016-4970 CVE-2020-7238 CVE-2019-20444 CVE-2019-20445)\n\n* dom4j (CVE-2018-1000632)\n\n* elasticsearch (CVE-2018-3831)\n\n* pdfbox (CVE-2018-11797)\n\n* vertx (CVE-2018-12541)\n\n* spring-data-jpa (CVE-2019-3797)\n\n* mina-core (CVE-2019-0231)\n\n* jackson-databind (CVE-2019-12086 CVE-2019-16335 CVE-2019-14540\nCVE-2019-17267 CVE-2019-14892 CVE-2019-14893 CVE-2019-16942 CVE-2019-16943\nCVE-2019-17531 CVE-2019-20330 CVE-2020-10673 CVE-2020-10672 CVE-2020-8840\nCVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10968 CVE-2020-10969\nCVE-2020-11111 CVE-2020-11112 CVE-2020-11113 CVE-2020-11620 CVE-2020-11619\nCVE-2020-14195 CVE-2020-14060 CVE-2020-14061 CVE-2020-14062)\n\n* jackson-mapper-asl (CVE-2019-10172)\n\n* hawtio (CVE-2019-9827)\n\n* undertow (CVE-2019-9511 CVE-2020-1757 CVE-2019-14888 CVE-2020-1745)\n\n* santuario (CVE-2019-12400)\n\n* apache-commons-beanutils (CVE-2019-10086)\n\n* cxf (CVE-2019-17573)\n\n* apache-commons-configuration (CVE-2020-1953)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section. \n\nInstallation instructions are available from the Fuse 7.7.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.7/\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1343616 - CVE-2016-4970 netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl\n1620529 - CVE-2018-1000632 dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents\n1632452 - CVE-2018-3831 elasticsearch: Information exposure via _cluster/settings API\n1637492 - CVE-2018-11797 pdfbox: unbounded computation in parser resulting in a denial of service\n1638391 - CVE-2018-12541 vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake\n1697598 - CVE-2019-3797 spring-data-jpa: Additional information exposure with Spring Data JPA derived queries\n1700016 - CVE-2019-0231 mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure. \n1713468 - CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: Red Hat JBoss Enterprise Application Platform 7.3.2 security update\nAdvisory ID: RHSA-2020:3463-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:3463\nIssue date: 2020-08-17\nCVE Names: CVE-2019-14900 CVE-2020-1710 CVE-2020-1748\n CVE-2020-10672 CVE-2020-10673 CVE-2020-10683\n CVE-2020-10687 CVE-2020-10693 CVE-2020-10714\n CVE-2020-10718 CVE-2020-10740 CVE-2020-14297\n====================================================================\n1. Summary:\n\nAn update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.3 for Red Hat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss EAP 7.3 for BaseOS-8 - noarch\n\n3. Description:\n\nRed Hat JBoss Enterprise Application Platform 7 is a platform for Java\napplications based on the WildFly application runtime. \n\nThis release of Red Hat JBoss Enterprise Application Platform 7.3.2 serves\nas a replacement for Red Hat JBoss Enterprise Application Platform 7.3.1\nand includes bug fixes and enhancements. See the Red Hat JBoss Enterprise\nApplication Platform 7.3.2 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API\n(CVE-2020-10718)\n\n* dom4j: XML External Entity vulnerability in default SAX parser\n(CVE-2020-10683)\n\n* wildfly-elytron: session fixation when using FORM authentication\n(CVE-2020-10714)\n\n* wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to\npermitting invalid characters in HTTP requests (CVE-2020-10687)\n\n* jackson-databind: mishandles the interaction between serialization\ngadgets and typing which could result in remote command execution\n(CVE-2020-10673)\n\n* hibernate-core: hibernate: SQL injection issue in Hibernate ORM\n(CVE-2019-14900)\n\n* wildfly: unsafe deserialization in Wildfly Enterprise Java Beans\n(CVE-2020-10740)\n\n* jackson-databind: mishandles the interaction between serialization\ngadgets and typing which could result in remote command execution\n(CVE-2020-10672)\n\n* undertow: EAP: field-name is not parsed in accordance to RFC7230\n(CVE-2020-1710)\n\n* hibernate-validator: Improper input validation in the interpolation of\nconstraint error messages (CVE-2020-10693)\n\n* wildfly: Improper authorization issue in WildFlySecurityManager when\nusing alternative protection domain (CVE-2020-1748)\n\n* wildfly: Some EJB transaction objects may get accumulated causing Denial\nof Service (CVE-2020-14297)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, see the CVE page(s) listed in the\nReferences section. \n\n4. Solution:\n\nBefore applying this update, ensure all previously released errata relevant\nto your system have been applied. \n\nFor details about how to apply this update, see:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM\n1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser\n1785049 - CVE-2020-10687 Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests\n1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230\n1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages\n1807707 - CVE-2020-1748 Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain\n1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution\n1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution\n1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication\n1828476 - CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API\n1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans\n1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-18793 - [GSS](7.3.z) Upgrade Hibernate ORM from 5.3.16 to 5.3.17\nJBEAP-19095 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.20 to 1.0.21\nJBEAP-19134 - (7.3.z) Upgrade HAL from 3.2.8.Final-redhat-00001 to 3.2.9.Final\nJBEAP-19185 - (7.3.z) Upgrade IronJacamar from 1.4.20.Final to 1.4.22.Final\nJBEAP-19203 - (7.3.z) WFCORE-4850 - Updating mockserver to 5.9.0. Exclusion of dependency from xom.io7m\nJBEAP-19205 - (7.3.z) Upgrade WildFly Core from 10.1.5.Final-redhat-00001 to 10.1.x\nJBEAP-19269 - [GSS](7.3.z) Upgrade jboss-logmanager from 2.1.14.Final to 2.1.15.Final\nJBEAP-19322 - (7.3.z) Upgrade XNIO from 3.7.7 to 3.7.8.SP1\nJBEAP-19325 - (7.3.z) Upgrade Infinispan from 9.4.18.Final-redhat-00001 to 9.4.19.Final-redhat-00001\nJBEAP-19397 - (7.3.z) Upgrade JSF based on Mojarra 2.3.9.SP09-redhat-00001 to 2.3.9.SP11-redhat-00001\nJBEAP-19410 - Tracker bug for the EAP 7.3.2 release for RHEL-7\nJBEAP-19411 - Tracker bug for the EAP 7.3.2 release for RHEL-8\nJBEAP-19529 - (7.3.z) Update PR template to include PR-processor hints. \nJBEAP-19564 - [GSS](7.3.z) Upgrade jboss-ejb-client from 4.0.31.Final-redhat-00001 to 4.0.33.Final-redhat-00001\nJBEAP-19585 - [GSS](7.3.z) Upgrade org.jboss.genericjms from 2.0.4 to 2.0.6\nJBEAP-19617 - (7.3.z) Upgrade wildfly-naming-client from 1.0.12.Final-redhat-00001 to 1.0.13.Final-redhat-00001\nJBEAP-19619 - (7.3.z) Upgrade JBoss JSF API from 3.0.0.SP02-redhat-00001 to 3.0.0.SP04-redhat-00001\nJBEAP-19673 - (7.3.z) [WFCORE] Upgrade WildFly Common to 1.5.2.Final\nJBEAP-19674 - (7.3.z) [WFCORE] Upgrade galleon and wildfly-galleon-plugins from 4.1.2.Final to 4.2.4.Final\nJBEAP-19874 - [GSS](7.3.z) Upgrade wildfly-http-client from 1.0.21.Final-redhat-00001 to 1.0.22.Final-redhat-00001\n\n7. Package List:\n\nRed Hat JBoss EAP 7.3 for BaseOS-8:\n\nSource:\neap7-dom4j-2.1.3-1.redhat_00001.1.el8eap.src.rpm\neap7-elytron-web-1.6.2-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-glassfish-jsf-2.3.9-11.SP11_redhat_00001.1.el8eap.src.rpm\neap7-hal-console-3.2.9-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-hibernate-5.3.17-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-infinispan-9.4.19-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-jackson-annotations-2.10.4-1.redhat_00001.1.el8eap.src.rpm\neap7-jackson-core-2.10.4-1.redhat_00001.1.el8eap.src.rpm\neap7-jackson-databind-2.10.4-1.redhat_00001.1.el8eap.src.rpm\neap7-jackson-jaxrs-providers-2.10.4-1.redhat_00001.1.el8eap.src.rpm\neap7-jackson-modules-base-2.10.4-1.redhat_00001.1.el8eap.src.rpm\neap7-jackson-modules-java8-2.10.4-1.redhat_00001.1.el8eap.src.rpm\neap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP04_redhat_00001.1.el8eap.src.rpm\neap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-jboss-server-migration-1.7.1-7.Final_redhat_00009.1.el8eap.src.rpm\neap7-jboss-xnio-base-3.7.8-1.SP1_redhat_00001.1.el8eap.src.rpm\neap7-netty-4.1.48-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-undertow-2.0.30-4.SP4_redhat_00001.1.el8eap.src.rpm\neap7-wildfly-7.3.2-4.GA_redhat_00002.1.el8eap.src.rpm\neap7-wildfly-common-1.5.2-1.Final_redhat_00002.1.el8eap.src.rpm\neap7-wildfly-elytron-1.10.7-1.Final_redhat_00001.1.el8eap.src.rpm\neap7-wildfly-http-client-1.0.22-1.Final_redhat_00001.1.el8eap.src.rpm\n\nnoarch:\neap7-dom4j-2.1.3-1.redhat_00001.1.el8eap.noarch.rpm\neap7-glassfish-jsf-2.3.9-11.SP11_redhat_00001.1.el8eap.noarch.rpm\neap7-hal-console-3.2.9-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-hibernate-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-hibernate-core-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-hibernate-entitymanager-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-hibernate-envers-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-hibernate-java8-5.3.17-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-hibernate-validator-cdi-6.0.20-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-cachestore-jdbc-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-cachestore-remote-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-client-hotrod-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-commons-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-core-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-hibernate-cache-commons-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-hibernate-cache-spi-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-infinispan-hibernate-cache-v53-9.4.19-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-common-api-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-common-impl-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-common-spi-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-core-api-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-core-impl-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-deployers-common-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-jdbc-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-ironjacamar-validator-1.4.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-jackson-annotations-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-jackson-core-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-jackson-databind-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-jackson-datatype-jdk8-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-jackson-datatype-jsr310-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-jackson-jaxrs-base-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-jackson-jaxrs-json-provider-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-jackson-module-jaxb-annotations-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-jackson-modules-base-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-jackson-modules-java8-2.10.4-1.redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-jsf-api_2.3_spec-3.0.0-4.SP04_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-jboss-server-migration-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-cli-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-core-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap6.4-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap6.4-to-eap7.3-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap7.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap7.1-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap7.2-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap7.2-to-eap7.3-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-eap7.3-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.1-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly11.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly12.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly13.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly14.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly15.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly16.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly17.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly18.0-server-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly8.2-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-server-migration-wildfly9.0-1.7.1-7.Final_redhat_00009.1.el8eap.noarch.rpm\neap7-jboss-xnio-base-3.7.8-1.SP1_redhat_00001.1.el8eap.noarch.rpm\neap7-netty-4.1.48-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-netty-all-4.1.48-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-undertow-2.0.30-4.SP4_redhat_00001.1.el8eap.noarch.rpm\neap7-undertow-server-1.6.2-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-7.3.2-4.GA_redhat_00002.1.el8eap.noarch.rpm\neap7-wildfly-common-1.5.2-1.Final_redhat_00002.1.el8eap.noarch.rpm\neap7-wildfly-elytron-1.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-elytron-tool-1.10.7-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-http-client-common-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-http-ejb-client-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-http-naming-client-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-http-transaction-client-1.0.22-1.Final_redhat_00001.1.el8eap.noarch.rpm\neap7-wildfly-javadocs-7.3.2-4.GA_redhat_00002.1.el8eap.noarch.rpm\neap7-wildfly-modules-7.3.2-4.GA_redhat_00002.1.el8eap.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2019-14900\nhttps://access.redhat.com/security/cve/CVE-2020-1710\nhttps://access.redhat.com/security/cve/CVE-2020-1748\nhttps://access.redhat.com/security/cve/CVE-2020-10672\nhttps://access.redhat.com/security/cve/CVE-2020-10673\nhttps://access.redhat.com/security/cve/CVE-2020-10683\nhttps://access.redhat.com/security/cve/CVE-2020-10687\nhttps://access.redhat.com/security/cve/CVE-2020-10693\nhttps://access.redhat.com/security/cve/CVE-2020-10714\nhttps://access.redhat.com/security/cve/CVE-2020-10718\nhttps://access.redhat.com/security/cve/CVE-2020-10740\nhttps://access.redhat.com/security/cve/CVE-2020-14297\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/\n\n9. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXzqIgdzjgjWX9erEAQhAaw//ceEP1X/GXLqWVwEDOZhjR4akb8iOZC4P\nH8bYYEtAq7LHOTzfor0D1PsShzOfF6UjhpRYYhaFZN80Fs3cc27Pqk5MnF4qfdAf\nFnzZ/ze5jlclBPK+eSmGPvYCeuMK9EF+fRETRUOj0rdu3M1CLYUV1LNxOZk48Uen\nKRWbBEW8BzuYYUf+24ly76siqTZCW5oI+ZsMhuUqyUwxzu61uDL0nMYnOS+WZPL0\nxBafLiCZ1xc0pykIuqzqHPy+cvxCqkyXDJ5cOV16jeXhp5lNB0yk0LzQnck/+wKc\nRJtl/ySiuUUXH/p5FY9tAphgqvA7Plh0SpsvF0/UUsQIeqoZzx2Xr295OFUSOb26\nrebOBTDbky9zFWFXtRvnSo4cadQhYgemOkkKuX9NaQemyBRitvIjk0ZOw0cOtXdW\n5UecnSYFC5U46VzSNmPosuTkodyA20GJDxFX9v/iRP8wbsG0IpJz/1G1DMSk1+ba\noOtpxQxzuCOqhEVubkfgt0BbU4XgbYzBkKnfxfSaNVDpCCi1hCnHPC6gWR//jbP2\nqEy5MmbO8Sksn16fDgBTQ/g8YATe6pa7Q5DnIe+l+0thzm8kf3l9TG+YRKjoxtSV\nFwlVApI2o6Ebse7EPr96Ior5xMirxVML2rKgzQc7cG2s7gXvQ2NVkC0vCGdmGUGc\nzQFgGc2abfE=qmbe\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\nThe JBoss server process must be restarted for the update to take effect",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10672"
},
{
"db": "VULHUB",
"id": "VHN-163174"
},
{
"db": "PACKETSTORM",
"id": "158650"
},
{
"db": "PACKETSTORM",
"id": "157859"
},
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "158636"
},
{
"db": "PACKETSTORM",
"id": "158891"
},
{
"db": "PACKETSTORM",
"id": "159080"
},
{
"db": "PACKETSTORM",
"id": "158881"
},
{
"db": "PACKETSTORM",
"id": "159082"
}
],
"trust": 1.71
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2020-10672",
"trust": 1.9
},
{
"db": "PACKETSTORM",
"id": "158636",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "159083",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "159080",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "159082",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "158881",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "158891",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "158650",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "159208",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158884",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158889",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158651",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "159081",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158916",
"trust": 0.1
},
{
"db": "CNNVD",
"id": "CNNVD-202003-1150",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-163174",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "157859",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-163174"
},
{
"db": "PACKETSTORM",
"id": "158650"
},
{
"db": "PACKETSTORM",
"id": "157859"
},
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "158636"
},
{
"db": "PACKETSTORM",
"id": "158891"
},
{
"db": "PACKETSTORM",
"id": "159080"
},
{
"db": "PACKETSTORM",
"id": "158881"
},
{
"db": "PACKETSTORM",
"id": "159082"
},
{
"db": "NVD",
"id": "CVE-2020-10672"
}
]
},
"id": "VAR-202003-1779",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-163174"
}
],
"trust": 0.01
},
"last_update_date": "2026-04-10T23:35:44.701000Z",
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-502",
"trust": 1.0
},
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10672"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 1.1,
"url": "https://security.netapp.com/advisory/ntap-20200403-0002/"
},
{
"trust": 1.1,
"url": "https://github.com/fasterxml/jackson-databind/issues/2659"
},
{
"trust": 1.1,
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"trust": 1.1,
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"trust": 1.1,
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"trust": 1.1,
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"trust": 1.1,
"url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00027.html"
},
{
"trust": 1.0,
"url": "https://medium.com/%40cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/cve/cve-2020-10672"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.8,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.8,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10672"
},
{
"trust": 0.8,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.7,
"url": "https://access.redhat.com/security/cve/cve-2020-10673"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2020-9547"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10673"
},
{
"trust": 0.6,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-9546"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-9548"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-8840"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1710"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10740"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14297"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10693"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10687"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-10714"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-14297"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14900"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10683"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10714"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-10683"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-10693"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-10687"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2019-14900"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-10740"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-1710"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-10718"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10718"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1748"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-1748"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2020-1695"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14307"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2020-14307"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-11112"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-11113"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-10968"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2019-17573"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20444"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-17573"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20330"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2019-20445"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2019-20444"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-10969"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2019-20330"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-7238"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-11111"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-20445"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-6950"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9547"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1695"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9548"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9546"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8840"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-6950"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14060"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14061"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-11619"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-14062"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-16869"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-11620"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11111"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-12423"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-16869"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12423"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10968"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10969"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-16335"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-16942"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-16943"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14893"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-16942"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-14888"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14892"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-14892"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14888"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-1745"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-17531"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10086"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-16335"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-10086"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14540"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-16943"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-17267"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-17531"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-14540"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-14893"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-17267"
},
{
"trust": 0.1,
"url": "https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14060"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12406"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9514"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1718"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9515"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13990"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11620"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-9512"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-12406"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11612"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-9514"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-9515"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1718"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-9518"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13990"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3196"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=rhdm\u0026version=7.8.0"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11619"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-7238"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9512"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11112"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11612"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_decision_manager/7.8/html/release_notes_for_red_hat_decision_manager_7.8/index"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9518"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14061"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11113"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14062"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10174"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:2333"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform_continuous_delivery/19/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14887"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10688"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0210"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0205"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12419"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-0210"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-14887"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-10688"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product\\xeap-cd\u0026downloadtype=securitypatches\u0026version\u0019"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-12419"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10174"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-0205"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1732"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3642"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-11797"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10172"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-12086"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-1000632"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1000632"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9511"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12400"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-3831"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-0231"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-11797"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.fuse\u0026version=7.7.0"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-12541"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3797"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2016-4970"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-9827"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.7/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-9511"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10172"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12086"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2016-4970"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1953"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1757"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0231"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-9827"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-3831"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-12400"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-12541"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3192"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-14195"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-3797"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/html-single/installation_guide/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.3/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3463"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3639"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3464"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3638"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-163174"
},
{
"db": "PACKETSTORM",
"id": "158650"
},
{
"db": "PACKETSTORM",
"id": "157859"
},
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "158636"
},
{
"db": "PACKETSTORM",
"id": "158891"
},
{
"db": "PACKETSTORM",
"id": "159080"
},
{
"db": "PACKETSTORM",
"id": "158881"
},
{
"db": "PACKETSTORM",
"id": "159082"
},
{
"db": "NVD",
"id": "CVE-2020-10672"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "VULHUB",
"id": "VHN-163174",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "158650",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "157859",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "159083",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "158636",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "158891",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "159080",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "158881",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "159082",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2020-10672",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2020-03-18T00:00:00",
"db": "VULHUB",
"id": "VHN-163174",
"ident": null
},
{
"date": "2020-07-29T17:52:58",
"db": "PACKETSTORM",
"id": "158650",
"ident": null
},
{
"date": "2020-05-28T16:22:46",
"db": "PACKETSTORM",
"id": "157859",
"ident": null
},
{
"date": "2020-09-07T16:39:48",
"db": "PACKETSTORM",
"id": "159083",
"ident": null
},
{
"date": "2020-07-29T00:05:59",
"db": "PACKETSTORM",
"id": "158636",
"ident": null
},
{
"date": "2020-08-17T17:43:22",
"db": "PACKETSTORM",
"id": "158891",
"ident": null
},
{
"date": "2020-09-07T16:37:51",
"db": "PACKETSTORM",
"id": "159080",
"ident": null
},
{
"date": "2020-08-17T15:35:45",
"db": "PACKETSTORM",
"id": "158881",
"ident": null
},
{
"date": "2020-09-07T16:39:28",
"db": "PACKETSTORM",
"id": "159082",
"ident": null
},
{
"date": "2020-03-18T22:15:12.313000",
"db": "NVD",
"id": "CVE-2020-10672",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2021-12-07T00:00:00",
"db": "VULHUB",
"id": "VHN-163174",
"ident": null
},
{
"date": "2024-11-21T04:55:49.050000",
"db": "NVD",
"id": "CVE-2020-10672",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "158891"
},
{
"db": "PACKETSTORM",
"id": "159080"
},
{
"db": "PACKETSTORM",
"id": "158881"
},
{
"db": "PACKETSTORM",
"id": "159082"
}
],
"trust": 0.5
},
"title": {
"_id": null,
"data": "Red Hat Security Advisory 2020-3196-01",
"sources": [
{
"db": "PACKETSTORM",
"id": "158650"
}
],
"trust": 0.1
},
"type": {
"_id": null,
"data": "sql injection",
"sources": [
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "158891"
},
{
"db": "PACKETSTORM",
"id": "159080"
},
{
"db": "PACKETSTORM",
"id": "158881"
},
{
"db": "PACKETSTORM",
"id": "159082"
}
],
"trust": 0.5
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.