First published: Thu Jul 23 2020(Updated: )
This release of Red Hat build of Thorntail 2.7.0 includes security updates, bug fixes, and enhancements. For more information, see the release notes listed in the References section.<br>Security Fix(es):<br><li> Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719)</li> <li> cxf: reflected XSS in the services listing page (CVE-2019-17573)</li> <li> undertow: AJP File Read/Inclusion Vulnerability (CVE-2020-1745)</li> <li> Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)</li> <li> resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695)</li> <li> undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass (CVE-2020-1757)</li> <li> keycloak: stored XSS in client settings via application links (CVE-2020-1697)</li> <li> keycloak: problem with privacy after user logout (CVE-2020-1724)</li> <li> keycloak: Password leak by logged exception in HttpMethod class (CVE-2020-1698)</li> <li> cxf: OpenId Connect token service does not properly validate the clientId (CVE-2019-12423)</li> <li> Soteria: security identity corruption across concurrent threads (CVE-2020-1732)</li> <li> keycloak: missing input validation in IDP authorization URLs (CVE-2020-1727)</li> <li> keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP (CVE-2020-1744)</li> <li> keycloak: security issue on reset credential flow (CVE-2020-1718)</li> <li> keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)</li> <li> RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack (CVE-2020-10688)</li> <li> undertow: invalid HTTP request with large chunk size (CVE-2020-10719)</li> <li> undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100- continue" header (CVE-2020-10705)</li> For more details about the security issues and their impact, the CVSS score, acknowledgements, and other related information, see the CVE pages listed in the References section.
Affected Software | Affected Version | How to fix |
---|
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.