Description
h2: Loading of custom classes from remote servers through JNDI.
jackson-databind: denial of service via a large depth of nested objects.
netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data.
netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way.
h2: Remote Code Execution in Console.
netty: control chars in header names may lead to HTTP request smuggling.
xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr.
wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled.
undertow: Double AJP response for 400 from EAP 7 results in CPING failures.
OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646).
mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors.
xerces-j2: infinite loop when handling specially crafted XML document payloads.
artemis-commons: Apache ActiveMQ Artemis DoS.
Moment.js: Path traversal in moment.locale.
jboss-client: memory leakage in remote client transaction.