Red Hat JBoss Enterprise Application Platform CD20 is a platform for Java applications based on the WildFly application runtime.
This release of Red Hat JBoss Enterprise Application Platform CD20 includes bug fixes and enhancements.
jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter (CVE-2018-14371)
jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172)
hibernate-core: hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673)
dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header (CVE-2020-10705)
wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)
undertow: invalid HTTP request with large chunk size (CVE-2020-10719)
wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)
netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)
wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)
cxf-core: cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954)
jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.