Description
jackson-databind: Serialization gadgets in ibatis-sqlmap.
jackson-databind: Lacks certain xbean-reflect/JNDI blocking.
jackson-databind: Serialization gadgets in anteros-core.
jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution.
jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution.
jackson-databind: Serialization gadgets in shaded-hikari-config.
undertow: EAP: field-name is not parsed in accordance to RFC7230.
wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests.
jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371.
resteasy-jaxrs: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class.
wildfly-elytron: session fixation when using FORM authentication.
dom4j: XML External Entity vulnerability in default SAX parser.
wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain.
hibernate-validator: Improper input validation in the interpolation of constraint error messages.
hibernate-core: hibernate: SQL injection issue in Hibernate ORM.
wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API.
jboss-ejb-client: wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service.
jboss-ejb-client: wildfly: Some EJB transaction objects may get accumulated causing Denial of Service.