var-202005-1054
Vulnerability from variot
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. dom4j is an open source framework for processing XML. A code issue vulnerability exists in dom4j versions prior to 2.0.3 and 2.1.x versions prior to 2.1.3. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products. ========================================================================== Ubuntu Security Notice USN-4575-1 October 13, 2020
dom4j vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 16.04 LTS
Summary:
dom4j could be made to expose sensitive information or run programs if it received specially crafted input.
Software Description: - dom4j: Flexible XML framework for Java
Details:
It was discovered that dom4j incorrectly handled reading XML data. A remote attacker could exploit this with a crafted XML file to expose sensitive data or possibly execute arbitrary code. (CVE-2020-10683)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04 LTS: libdom4j-java 1.6.1+dfsg.3-2ubuntu1.1
In general, a standard system update will make all the necessary changes. The purpose of this text-only errata is to inform you about the security issues fixed in this release.
Installation instructions are available from the Fuse 7.8.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/
- Description:
Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.
The References section of this erratum contains a download link (you must log in to download the update).
The JBoss server process must be restarted for the update to take effect. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 6 security update Advisory ID: RHSA-2020:3637-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:3637 Issue date: 2020-09-07 CVE Names: CVE-2019-14900 CVE-2020-1695 CVE-2020-1710 CVE-2020-1748 CVE-2020-6950 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10672 CVE-2020-10673 CVE-2020-10683 CVE-2020-10687 CVE-2020-10693 CVE-2020-10714 CVE-2020-10718 CVE-2020-10740 CVE-2020-14297 CVE-2020-14307 =====================================================================
- Summary:
An update is now available for Red Hat JBoss Enterprise Application Platform 7.2 for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat JBoss EAP 7.2 for RHEL 6 Server - noarch
- Description:
This release of Red Hat JBoss Enterprise Application Platform 7.2.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.8, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.9 Release Notes for information about the most significant bug fixes and enhancements included in this release.
Security Fix(es):
-
jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)
-
jackson-databind: Lacks certain xbean-reflect/JNDI blocking (CVE-2020-8840)
-
jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)
-
jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10672)
-
jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673)
-
jackson-databind: Serialization gadgets in shaded-hikari-config (CVE-2020-9546)
-
undertow: EAP: field-name is not parsed in accordance to RFC7230 (CVE-2020-1710)
-
wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests (CVE-2020-10687)
-
jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)
-
resteasy-jaxrs: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class (CVE-2020-1695)
-
wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714)
-
dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683)
-
wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain (CVE-2020-1748)
-
hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
-
hibernate-core: hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)
-
wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API (CVE-2020-10718)
• wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740)
-
jboss-ejb-client: wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service (CVE-2020-14307)
-
jboss-ejb-client: wildfly: Some EJB transaction objects may get accumulated causing Denial of Service (CVE-2020-14297)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.
- Solution:
Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.
For details about how to apply this update, which includes the changes described in this advisory, see:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM 1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser 1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class 1785049 - CVE-2020-10687 Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests 1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230 1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages 1807707 - CVE-2020-1748 Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain 1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking 1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config 1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap 1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core 1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication 1828476 - CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API 1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans 1851327 - CVE-2020-14307 wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service 1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service
- JIRA issues fixed (https://issues.jboss.org/):
JBEAP-18366 - GSS Upgrade Hibernate ORM from 5.3.15 to 5.3.16 JBEAP-18667 - GSS Upgrade wildfly-http-client from 1.0.20.Final-redhat-00001 to 1.0.21.Final-redhat-00001 JBEAP-18849 - GSS Upgrade RESTEasy from 3.6.1.SP8 to 3.6.1.SP9 JBEAP-18880 - GSS Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00009 to 2.3.5.SP4-redhat-00001 JBEAP-18906 - GSS Upgrade weld from 3.0.6.Final-redhat-00003 to 3.0.7.Final-redhat-00001 JBEAP-18919 - GSS Upgrade HAL from 3.0.21.Final to 3.0.22.Final JBEAP-18965 - (7.2.z) Upgrade IronJacamar from 1.4.20.Final to 1.4.21.Final JBEAP-19038 - Tracker bug for the EAP 7.2.9 release for RHEL-6 JBEAP-19058 - [GSS] (7.2.z) Upgrade Undertow from 2.0.30.SP1-redhat-00001 to 2.0.30.SP2-redhat-00001 JBEAP-19120 - GSS Upgrade org.jboss.genericjms from 2.0.2.Final-redhat-00001 to 2.0.4.Final-redhat-00001 JBEAP-19163 - GSS Upgrade Infinispan from 9.3.8.Final-redhat-00001 to 9.3.9.Final-redhat-00001 JBEAP-19255 - (7.2.z) Upgrade jboss-logmanager from 2.1.14.Final to 2.1.15.Final JBEAP-19271 - (7.2.z) Upgrade WildFly Core from 6.0.27.Final-redhat-00001 to 6.0.28.Final-redhat-00001 JBEAP-19315 - GSS Upgrade XNIO from 3.7.6.SP2 to 3.7.6.SP3 JBEAP-19463 - (7.2.z) Upgrade wildfly-transaction-client from 1.1.10.Final-redhat-00001 to 1.1.11.Final-redhat-00001 JBEAP-19565 - (7.2.z) Upgrade jboss-ejb-client from 4.0.31.Final-redhat-00001 to 4.0.33.Final-redhat-00001 JBEAP-19587 - GSS Upgrade org.jboss.genericjms from 2.0.2.Final-redhat-00001 to 2.0.6.Final-redhat-00001 JBEAP-19620 - (7.2.z) Upgrade JBoss JSF API from 2.3.5.SP2-redhat-00003 to 2.3.5.SP2-redhat-00005 JBEAP-19624 - (7.2.z) Upgrade wildfly-naming-client from 1.0.12.Final-redhat-00001 to 1.0.13.Final-redhat-00001 JBEAP-19703 - GSS Upgrade JBoss Modules from 1.8.9 to 1.8.10 JBEAP-19704 - (7.2.z) Upgrade WildFly Core from 6.0.28.Final-redhat-00001 to 6.0.29.Final-redhat-00001 JBEAP-19798 - GSS Upgrade HAL from 3.0.22.Final to 3.0.23.Final JBEAP-19837 - (7.2.z) Upgrade WildFly Core from 6.0.29.Final-redhat-00001 to 6.0.30.Final-redhat-00001 JBEAP-19875 - GSS Upgrade wildfly-http-ejb-client from 1.0.21.Final to 1.0.22.Final
- Package List:
Red Hat JBoss EAP 7.2 for RHEL 6 Server:
Source: eap7-dom4j-2.1.3-1.redhat_00001.1.el6eap.src.rpm eap7-elytron-web-1.2.5-1.Final_redhat_00001.1.el6eap.src.rpm eap7-glassfish-jsf-2.3.5-13.SP3_redhat_00011.1.el6eap.src.rpm eap7-hal-console-3.0.23-1.Final_redhat_00001.1.el6eap.src.rpm eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el6eap.src.rpm eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el6eap.src.rpm eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jackson-databind-2.9.10.4-1.redhat_00001.1.el6eap.src.rpm eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-jsf-api_2.3_spec-2.3.5-7.SP2_redhat_00005.1.el6eap.src.rpm eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-modules-1.8.10-1.Final_redhat_00001.1.el6eap.src.rpm eap7-jboss-server-migration-1.3.1-13.Final_redhat_00014.1.el6eap.src.rpm eap7-jboss-xnio-base-3.7.6-4.SP3_redhat_00001.1.el6eap.src.rpm eap7-resteasy-3.6.1-10.SP9_redhat_00001.1.el6eap.src.rpm eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el6eap.src.rpm eap7-weld-core-3.0.6-4.Final_redhat_00004.1.el6eap.src.rpm eap7-wildfly-7.2.9-4.GA_redhat_00003.1.el6eap.src.rpm eap7-wildfly-elytron-1.6.8-1.Final_redhat_00001.1.el6eap.src.rpm eap7-wildfly-http-client-1.0.22-1.Final_redhat_00001.1.el6eap.src.rpm eap7-wildfly-transaction-client-1.1.11-1.Final_redhat_00001.1.el6eap.src.rpm
noarch: eap7-dom4j-2.1.3-1.redhat_00001.1.el6eap.noarch.rpm eap7-glassfish-jsf-2.3.5-13.SP3_redhat_00011.1.el6eap.noarch.rpm eap7-hal-console-3.0.23-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-core-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-entitymanager-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-envers-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-java8-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-hibernate-validator-cdi-6.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-api-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-impl-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-common-spi-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-core-api-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-core-impl-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-deployers-common-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-jdbc-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-ironjacamar-validator-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jackson-databind-2.9.10.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-jsf-api_2.3_spec-2.3.5-7.SP2_redhat_00005.1.el6eap.noarch.rpm eap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-modules-1.8.10-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-jboss-server-migration-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-cli-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-core-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap6.4-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.0-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.1-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly13.0-server-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly14.0-server-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm eap7-jboss-xnio-base-3.7.6-4.SP3_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-atom-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-cdi-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-client-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-client-microprofile-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-crypto-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-jackson-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-jackson2-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-jaxb-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-jaxrs-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-jettison-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-jose-jwt-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-jsapi-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-json-binding-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-json-p-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-multipart-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-rxjava2-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-spring-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-validator-provider-11-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-resteasy-yaml-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm eap7-undertow-2.0.30-4.SP4_redhat_00001.1.el6eap.noarch.rpm eap7-undertow-server-1.2.5-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-weld-core-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm eap7-weld-core-impl-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm eap7-weld-core-jsf-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm eap7-weld-ejb-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm eap7-weld-jta-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm eap7-weld-probe-core-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm eap7-weld-web-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm eap7-wildfly-7.2.9-4.GA_redhat_00003.1.el6eap.noarch.rpm eap7-wildfly-elytron-1.6.8-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-client-common-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-ejb-client-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-naming-client-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-http-transaction-client-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-wildfly-javadocs-7.2.9-4.GA_redhat_00003.1.el6eap.noarch.rpm eap7-wildfly-modules-7.2.9-4.GA_redhat_00003.1.el6eap.noarch.rpm eap7-wildfly-transaction-client-1.1.11-1.Final_redhat_00001.1.el6eap.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2019-14900 https://access.redhat.com/security/cve/CVE-2020-1695 https://access.redhat.com/security/cve/CVE-2020-1710 https://access.redhat.com/security/cve/CVE-2020-1748 https://access.redhat.com/security/cve/CVE-2020-6950 https://access.redhat.com/security/cve/CVE-2020-8840 https://access.redhat.com/security/cve/CVE-2020-9546 https://access.redhat.com/security/cve/CVE-2020-9547 https://access.redhat.com/security/cve/CVE-2020-9548 https://access.redhat.com/security/cve/CVE-2020-10672 https://access.redhat.com/security/cve/CVE-2020-10673 https://access.redhat.com/security/cve/CVE-2020-10683 https://access.redhat.com/security/cve/CVE-2020-10687 https://access.redhat.com/security/cve/CVE-2020-10693 https://access.redhat.com/security/cve/CVE-2020-10714 https://access.redhat.com/security/cve/CVE-2020-10718 https://access.redhat.com/security/cve/CVE-2020-10740 https://access.redhat.com/security/cve/CVE-2020-14297 https://access.redhat.com/security/cve/CVE-2020-14307 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/ https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBX1Ywt9zjgjWX9erEAQiZDRAAprGv8Mph7MMT8HzJy9Y8b4SDGcBPTgYT VhgK05QvGC72fqOruBW4Dc5QahYeuv/DG3IluGUpbfIgDAlkcr0MR4fT2RlZiKAv xXq1ICOB5w7gRqWl5LsKd5o1L94DcbYIdj/4VUjmEqIK1aXgC/Llo3OTxk6gCVFM v7YerH6EkRF+1kozD3FWSDrCek5Li1gdKOzOqBEz1i+YWhf3uU0RspBQHWhOfUXx Q3mDiuxXux/1lZ/hYEPGp8ZhR/TfxRyWu7DMbr9yskZqDLvMsEBtUmGUW1oPeptd pSNT+UaFhvqvI1J4jiqMbeMVCI153ltBazKTi6vTtkcsLycTUV97cr1g2PBycG+y lz/j/kZ7DZkFp8MRihs50BZRyyB6YsgXr0kptcpqR2/R8k7kEqj3YtpIYx3i9Nv+ JL+BONnMi8a4UtXrMZTXCoJzpzf8Xe6IKECvsCGSf194exkKvN+sWq/qaGFc31bf FMxkenPBT80nZRdwRi3LEiqB+y/opqFqGoFzE+d0wlz3c0eKIZRq/ugQ8byuoQMf vbrj9deHW8zB2/VyD7+KLAE9GxdhlgfJdfm2J1Zmw0JAMG+++vl9y8w6RzSizcIJ 9BNcdn6DZd9IDYSas7pilWEoDxNf8w75d8tgJPEjRUmVbrhbQmVtoyfyYcnh2Peb 4wPUU/UtcIU= =AJRX -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Summary:
This is a security update for JBoss EAP Continuous Delivery 20
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202005-1054",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "dom4j",
"scope": "lt",
"trust": 1.0,
"vendor": "dom4j",
"version": "2.0.3"
},
{
"model": "utilities framework",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "4.4.0.0.0"
},
{
"model": "oncommand api services",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "retail order broker",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18.0"
},
{
"model": "primavera p6 enterprise project portfolio management",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "18.1.0.0"
},
{
"model": "retail customer management and segmentation foundation",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18.0"
},
{
"model": "retail order broker",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.0"
},
{
"model": "agile plm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "9.3.5"
},
{
"model": "flexcube core banking",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.7.0"
},
{
"model": "retail order broker",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.1"
},
{
"model": "rapid planning",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2"
},
{
"model": "banking platform",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "2.10.0"
},
{
"model": "health sciences information manager",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "3.0.1"
},
{
"model": "retail customer management and segmentation foundation",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.0"
},
{
"model": "utilities framework",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "4.2.0.3.0"
},
{
"model": "enterprise manager base platform",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.4.0.0"
},
{
"model": "retail order broker",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.0"
},
{
"model": "data integrator",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "documaker",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "12.6.4"
},
{
"model": "insurance rules palette",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "11.3.0"
},
{
"model": "primavera p6 enterprise project portfolio management",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "17.1.0.0"
},
{
"model": "snapcenter",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "webcenter portal",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "insurance policy administration j2ee",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "11.3.0"
},
{
"model": "flexcube core banking",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.10.0"
},
{
"model": "primavera p6 enterprise project portfolio management",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "17.12.17.1"
},
{
"model": "utilities framework",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "2.2.0.0.0"
},
{
"model": "rapid planning",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.1"
},
{
"model": "retail price management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.1.3.0"
},
{
"model": "communications diameter signaling router",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.2.2"
},
{
"model": "retail integration bus",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.0"
},
{
"model": "utilities framework",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "4.3.0.1.0"
},
{
"model": "banking platform",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "2.4.0"
},
{
"model": "dom4j",
"scope": "lt",
"trust": 1.0,
"vendor": "dom4j",
"version": "2.1.3"
},
{
"model": "financial services analytical applications infrastructure",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.1.0"
},
{
"model": "documaker",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "12.6.0"
},
{
"model": "webcenter portal",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "application testing suite",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "13.3.0.1"
},
{
"model": "enterprise data quality",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "insurance rules palette",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "10.2.4"
},
{
"model": "insurance rules palette",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "11.1.0"
},
{
"model": "business process management suite",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "ubuntu linux",
"scope": "eq",
"trust": 1.0,
"vendor": "canonical",
"version": "16.04"
},
{
"model": "dom4j",
"scope": "gte",
"trust": 1.0,
"vendor": "dom4j",
"version": "2.1.0"
},
{
"model": "retail price management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.0.3.0"
},
{
"model": "retail order broker",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "15.0"
},
{
"model": "retail customer management and segmentation foundation",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "19.0"
},
{
"model": "insurance policy administration j2ee",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "10.2.4"
},
{
"model": "insurance policy administration j2ee",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "11.1.0"
},
{
"model": "insurance rules palette",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "10.2.0"
},
{
"model": "oncommand workflow automation",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "utilities framework",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "4.4.0.2.0"
},
{
"model": "agile plm",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "9.3.3"
},
{
"model": "communications diameter signaling router",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.0"
},
{
"model": "utilities framework",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "4.2.0.2.0"
},
{
"model": "communications unified inventory management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7.3.0"
},
{
"model": "insurance policy administration j2ee",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "10.2.0"
},
{
"model": "webcenter portal",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.1.1.9.0"
},
{
"model": "retail customer management and segmentation foundation",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.0"
},
{
"model": "snapmanager",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "primavera p6 enterprise project portfolio management",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "19.12.0.0"
},
{
"model": "storagetek tape analytics sw tool",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "2.3"
},
{
"model": "retail price management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "15.0.3.0"
},
{
"model": "business process management suite",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.3.0"
},
{
"model": "leap",
"scope": "eq",
"trust": 1.0,
"vendor": "opensuse",
"version": "15.1"
},
{
"model": "enterprise data quality",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.1.1.9.0"
},
{
"model": "fusion middleware",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "endeca information discovery integrator",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "3.2.0"
},
{
"model": "flexcube core banking",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.8.0"
},
{
"model": "insurance rules palette",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.0.2"
},
{
"model": "retail integration bus",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "15.0"
},
{
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "15.0.4"
},
{
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "18.0.3"
},
{
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "16.0.6"
},
{
"model": "communications unified inventory management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "7.4.0"
},
{
"model": "snap creator framework",
"scope": "eq",
"trust": 1.0,
"vendor": "netapp",
"version": null
},
{
"model": "insurance policy administration j2ee",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.0.2"
},
{
"model": "jdeveloper",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "primavera p6 enterprise project portfolio management",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "18.8.19.0"
},
{
"model": "communications application session controller",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "3.9m0p1"
},
{
"model": "primavera p6 enterprise project portfolio management",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "19.12.6.0"
},
{
"model": "financial services analytical applications infrastructure",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "8.0.6"
},
{
"model": "utilities framework",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "4.3.0.6.0"
},
{
"model": "primavera p6 enterprise project portfolio management",
"scope": "gte",
"trust": 1.0,
"vendor": "oracle",
"version": "16.1.0.0"
},
{
"model": "health sciences empirica signal",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "9.0"
},
{
"model": "data integrator",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "12.2.1.4.0"
},
{
"model": "primavera p6 enterprise project portfolio management",
"scope": "lte",
"trust": 1.0,
"vendor": "oracle",
"version": "16.2.20.1"
},
{
"model": "retail price management",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "14.0.3"
},
{
"model": "retail xstore point of service",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "17.0.4"
},
{
"model": "flexcube core banking",
"scope": "eq",
"trust": 1.0,
"vendor": "oracle",
"version": "11.9.0"
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10683"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Red Hat",
"sources": [
{
"db": "PACKETSTORM",
"id": "160562"
},
{
"db": "PACKETSTORM",
"id": "159924"
},
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "159081"
},
{
"db": "PACKETSTORM",
"id": "159015"
},
{
"db": "PACKETSTORM",
"id": "159082"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-1133"
}
],
"trust": 1.2
},
"cve": "CVE-2020-10683",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "CVE-2020-10683",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 1.1,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 10.0,
"id": "VHN-163186",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"author": "nvd@nist.gov",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 3.9,
"id": "CVE-2020-10683",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2020-10683",
"trust": 1.0,
"value": "CRITICAL"
},
{
"author": "CNNVD",
"id": "CNNVD-202004-1133",
"trust": 0.6,
"value": "CRITICAL"
},
{
"author": "VULHUB",
"id": "VHN-163186",
"trust": 0.1,
"value": "HIGH"
},
{
"author": "VULMON",
"id": "CVE-2020-10683",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-163186"
},
{
"db": "VULMON",
"id": "CVE-2020-10683"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-1133"
},
{
"db": "NVD",
"id": "CVE-2020-10683"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. dom4j is an open source framework for processing XML. A code issue vulnerability exists in dom4j versions prior to 2.0.3 and 2.1.x versions prior to 2.1.3. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products. ==========================================================================\nUbuntu Security Notice USN-4575-1\nOctober 13, 2020\n\ndom4j vulnerability\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 16.04 LTS\n\nSummary:\n\ndom4j could be made to expose sensitive information or run programs if it\nreceived specially crafted input. \n\nSoftware Description:\n- dom4j: Flexible XML framework for Java\n\nDetails:\n\nIt was discovered that dom4j incorrectly handled reading XML data. A\nremote attacker could exploit this with a crafted XML file to expose\nsensitive data or possibly execute arbitrary code. (CVE-2020-10683)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 16.04 LTS:\n libdom4j-java 1.6.1+dfsg.3-2ubuntu1.1\n\nIn general, a standard system update will make all the necessary changes. \nThe purpose of this text-only errata is to inform you about the security\nissues fixed in this release. \n\nInstallation instructions are available from the Fuse 7.8.0 product\ndocumentation page:\nhttps://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/\n\n4. Description:\n\nRed Hat Process Automation Manager is an open source business process\nmanagement suite that combines process management and decision service\nmanagement and enables business and IT users to create, manage, validate,\nand deploy process applications and decision services. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\nThe JBoss server process must be restarted for the update to take effect. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 6 security update\nAdvisory ID: RHSA-2020:3637-01\nProduct: Red Hat JBoss Enterprise Application Platform\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:3637\nIssue date: 2020-09-07\nCVE Names: CVE-2019-14900 CVE-2020-1695 CVE-2020-1710 \n CVE-2020-1748 CVE-2020-6950 CVE-2020-8840 \n CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 \n CVE-2020-10672 CVE-2020-10673 CVE-2020-10683 \n CVE-2020-10687 CVE-2020-10693 CVE-2020-10714 \n CVE-2020-10718 CVE-2020-10740 CVE-2020-14297 \n CVE-2020-14307 \n=====================================================================\n\n1. Summary:\n\nAn update is now available for Red Hat JBoss Enterprise Application\nPlatform 7.2 for Red Hat Enterprise Linux 6. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat JBoss EAP 7.2 for RHEL 6 Server - noarch\n\n3. Description:\n\nThis release of Red Hat JBoss Enterprise Application Platform 7.2.9 serves\nas a replacement for Red Hat JBoss Enterprise Application Platform 7.2.8,\nand includes bug fixes and enhancements. See the Red Hat JBoss Enterprise\nApplication Platform 7.2.9 Release Notes for information about the most\nsignificant bug fixes and enhancements included in this release. \n\nSecurity Fix(es):\n\n* jackson-databind: Serialization gadgets in ibatis-sqlmap (CVE-2020-9547)\n\n* jackson-databind: Lacks certain xbean-reflect/JNDI blocking\n(CVE-2020-8840)\n\n* jackson-databind: Serialization gadgets in anteros-core (CVE-2020-9548)\n\n* jackson-databind: mishandles the interaction between serialization\ngadgets and typing which could result in remote command execution\n(CVE-2020-10672)\n\n* jackson-databind: mishandles the interaction between serialization\ngadgets and typing which could result in remote command execution\n(CVE-2020-10673)\n\n* jackson-databind: Serialization gadgets in shaded-hikari-config\n(CVE-2020-9546)\n\n* undertow: EAP: field-name is not parsed in accordance to RFC7230\n(CVE-2020-1710)\n\n* wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to\npermitting invalid characters in HTTP requests (CVE-2020-10687)\n\n* jsf-impl: Mojarra: Path traversal via either the loc parameter or the con\nparameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)\n\n* resteasy-jaxrs: resteasy: Improper validation of response header in\nMediaTypeHeaderDelegate.java class (CVE-2020-1695)\n\n* wildfly-elytron: session fixation when using FORM authentication\n(CVE-2020-10714)\n\n* dom4j: XML External Entity vulnerability in default SAX parser\n(CVE-2020-10683)\n\n* wildfly: Improper authorization issue in WildFlySecurityManager when\nusing alternative protection domain (CVE-2020-1748)\n\n* hibernate-validator: Improper input validation in the interpolation of\nconstraint error messages (CVE-2020-10693)\n\n* hibernate-core: hibernate: SQL injection issue in Hibernate ORM\n(CVE-2019-14900)\n\n* wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API\n(CVE-2020-10718)\n\n\u2022 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans\n(CVE-2020-10740)\n\n* jboss-ejb-client: wildfly: EJB SessionOpenInvocations may not be removed\nproperly after a response is received causing Denial of Service\n(CVE-2020-14307)\n\n* jboss-ejb-client: wildfly: Some EJB transaction objects may get\naccumulated causing Denial of Service (CVE-2020-14297)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, see the CVE page(s) listed in the\nReferences section. \n\n4. Solution:\n\nBefore applying this update, back up your existing Red Hat JBoss Enterprise\nApplication Platform installation and deployed applications. \n\nFor details about how to apply this update, which includes the changes\ndescribed in this advisory, see:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM\n1694235 - CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser\n1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class\n1785049 - CVE-2020-10687 Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests\n1793970 - CVE-2020-1710 EAP: field-name is not parsed in accordance to RFC7230\n1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371\n1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages\n1807707 - CVE-2020-1748 Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain\n1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution\n1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution\n1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking\n1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config\n1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap\n1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core\n1825714 - CVE-2020-10714 wildfly-elytron: session fixation when using FORM authentication\n1828476 - CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API\n1834512 - CVE-2020-10740 wildfly: unsafe deserialization in Wildfly Enterprise Java Beans\n1851327 - CVE-2020-14307 wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service\n1853595 - CVE-2020-14297 wildfly: Some EJB transaction objects may get accumulated causing Denial of Service\n\n6. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-18366 - [GSS](7.2.z) Upgrade Hibernate ORM from 5.3.15 to 5.3.16\nJBEAP-18667 - [GSS](7.2.z) Upgrade wildfly-http-client from 1.0.20.Final-redhat-00001 to 1.0.21.Final-redhat-00001\nJBEAP-18849 - [GSS](7.2.z) Upgrade RESTEasy from 3.6.1.SP8 to 3.6.1.SP9\nJBEAP-18880 - [GSS](7.2.z) Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00009 to 2.3.5.SP4-redhat-00001\nJBEAP-18906 - [GSS](7.2.z) Upgrade weld from 3.0.6.Final-redhat-00003 to 3.0.7.Final-redhat-00001\nJBEAP-18919 - [GSS](7.2.z) Upgrade HAL from 3.0.21.Final to 3.0.22.Final\nJBEAP-18965 - (7.2.z) Upgrade IronJacamar from 1.4.20.Final to 1.4.21.Final\nJBEAP-19038 - Tracker bug for the EAP 7.2.9 release for RHEL-6\nJBEAP-19058 - [GSS] (7.2.z) Upgrade Undertow from 2.0.30.SP1-redhat-00001 to 2.0.30.SP2-redhat-00001\nJBEAP-19120 - [GSS](7.2.z) Upgrade org.jboss.genericjms from 2.0.2.Final-redhat-00001 to 2.0.4.Final-redhat-00001\nJBEAP-19163 - [GSS](7.2.z) Upgrade Infinispan from 9.3.8.Final-redhat-00001 to 9.3.9.Final-redhat-00001\nJBEAP-19255 - (7.2.z) Upgrade jboss-logmanager from 2.1.14.Final to 2.1.15.Final\nJBEAP-19271 - (7.2.z) Upgrade WildFly Core from 6.0.27.Final-redhat-00001 to 6.0.28.Final-redhat-00001\nJBEAP-19315 - [GSS](7.2.z) Upgrade XNIO from 3.7.6.SP2 to 3.7.6.SP3\nJBEAP-19463 - (7.2.z) Upgrade wildfly-transaction-client from 1.1.10.Final-redhat-00001 to 1.1.11.Final-redhat-00001\nJBEAP-19565 - (7.2.z) Upgrade jboss-ejb-client from 4.0.31.Final-redhat-00001 to 4.0.33.Final-redhat-00001\nJBEAP-19587 - [GSS](7.2.z) Upgrade org.jboss.genericjms from 2.0.2.Final-redhat-00001 to 2.0.6.Final-redhat-00001\nJBEAP-19620 - (7.2.z) Upgrade JBoss JSF API from 2.3.5.SP2-redhat-00003 to 2.3.5.SP2-redhat-00005\nJBEAP-19624 - (7.2.z) Upgrade wildfly-naming-client from 1.0.12.Final-redhat-00001 to 1.0.13.Final-redhat-00001\nJBEAP-19703 - [GSS](7.2.z) Upgrade JBoss Modules from 1.8.9 to 1.8.10\nJBEAP-19704 - (7.2.z) Upgrade WildFly Core from 6.0.28.Final-redhat-00001 to 6.0.29.Final-redhat-00001\nJBEAP-19798 - [GSS](7.2.z) Upgrade HAL from 3.0.22.Final to 3.0.23.Final\nJBEAP-19837 - (7.2.z) Upgrade WildFly Core from 6.0.29.Final-redhat-00001 to 6.0.30.Final-redhat-00001\nJBEAP-19875 - [GSS](7.2.z) Upgrade wildfly-http-ejb-client from 1.0.21.Final to 1.0.22.Final\n\n7. Package List:\n\nRed Hat JBoss EAP 7.2 for RHEL 6 Server:\n\nSource:\neap7-dom4j-2.1.3-1.redhat_00001.1.el6eap.src.rpm\neap7-elytron-web-1.2.5-1.Final_redhat_00001.1.el6eap.src.rpm\neap7-glassfish-jsf-2.3.5-13.SP3_redhat_00011.1.el6eap.src.rpm\neap7-hal-console-3.0.23-1.Final_redhat_00001.1.el6eap.src.rpm\neap7-hibernate-5.3.17-1.Final_redhat_00001.1.el6eap.src.rpm\neap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el6eap.src.rpm\neap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el6eap.src.rpm\neap7-jackson-databind-2.9.10.4-1.redhat_00001.1.el6eap.src.rpm\neap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el6eap.src.rpm\neap7-jboss-jsf-api_2.3_spec-2.3.5-7.SP2_redhat_00005.1.el6eap.src.rpm\neap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el6eap.src.rpm\neap7-jboss-modules-1.8.10-1.Final_redhat_00001.1.el6eap.src.rpm\neap7-jboss-server-migration-1.3.1-13.Final_redhat_00014.1.el6eap.src.rpm\neap7-jboss-xnio-base-3.7.6-4.SP3_redhat_00001.1.el6eap.src.rpm\neap7-resteasy-3.6.1-10.SP9_redhat_00001.1.el6eap.src.rpm\neap7-undertow-2.0.30-4.SP4_redhat_00001.1.el6eap.src.rpm\neap7-weld-core-3.0.6-4.Final_redhat_00004.1.el6eap.src.rpm\neap7-wildfly-7.2.9-4.GA_redhat_00003.1.el6eap.src.rpm\neap7-wildfly-elytron-1.6.8-1.Final_redhat_00001.1.el6eap.src.rpm\neap7-wildfly-http-client-1.0.22-1.Final_redhat_00001.1.el6eap.src.rpm\neap7-wildfly-transaction-client-1.1.11-1.Final_redhat_00001.1.el6eap.src.rpm\n\nnoarch:\neap7-dom4j-2.1.3-1.redhat_00001.1.el6eap.noarch.rpm\neap7-glassfish-jsf-2.3.5-13.SP3_redhat_00011.1.el6eap.noarch.rpm\neap7-hal-console-3.0.23-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-hibernate-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-hibernate-core-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-hibernate-entitymanager-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-hibernate-envers-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-hibernate-java8-5.3.17-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-hibernate-validator-6.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-hibernate-validator-cdi-6.0.20-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-ironjacamar-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-ironjacamar-common-api-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-ironjacamar-common-impl-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-ironjacamar-common-spi-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-ironjacamar-core-api-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-ironjacamar-core-impl-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-ironjacamar-deployers-common-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-ironjacamar-jdbc-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-ironjacamar-validator-1.4.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-jackson-databind-2.9.10.4-1.redhat_00001.1.el6eap.noarch.rpm\neap7-jboss-genericjms-2.0.6-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-jboss-jsf-api_2.3_spec-2.3.5-7.SP2_redhat_00005.1.el6eap.noarch.rpm\neap7-jboss-logmanager-2.1.15-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-jboss-modules-1.8.10-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-jboss-server-migration-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-cli-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-core-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-eap6.4-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-eap6.4-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-eap7.0-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-eap7.0-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-eap7.1-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-eap7.1-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.0-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.0-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.1-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly10.1-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly11.0-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly11.0-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly12.0-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly12.0-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly13.0-server-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly14.0-server-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly8.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly8.2-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly9.0-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-server-migration-wildfly9.0-to-eap7.2-1.3.1-13.Final_redhat_00014.1.el6eap.noarch.rpm\neap7-jboss-xnio-base-3.7.6-4.SP3_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-atom-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-cdi-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-client-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-client-microprofile-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-crypto-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-jackson-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-jackson2-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-jaxb-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-jaxrs-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-jettison-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-jose-jwt-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-jsapi-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-json-binding-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-json-p-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-multipart-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-rxjava2-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-spring-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-validator-provider-11-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-resteasy-yaml-provider-3.6.1-10.SP9_redhat_00001.1.el6eap.noarch.rpm\neap7-undertow-2.0.30-4.SP4_redhat_00001.1.el6eap.noarch.rpm\neap7-undertow-server-1.2.5-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-weld-core-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm\neap7-weld-core-impl-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm\neap7-weld-core-jsf-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm\neap7-weld-ejb-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm\neap7-weld-jta-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm\neap7-weld-probe-core-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm\neap7-weld-web-3.0.6-4.Final_redhat_00004.1.el6eap.noarch.rpm\neap7-wildfly-7.2.9-4.GA_redhat_00003.1.el6eap.noarch.rpm\neap7-wildfly-elytron-1.6.8-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-wildfly-http-client-common-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-wildfly-http-ejb-client-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-wildfly-http-naming-client-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-wildfly-http-transaction-client-1.0.22-1.Final_redhat_00001.1.el6eap.noarch.rpm\neap7-wildfly-javadocs-7.2.9-4.GA_redhat_00003.1.el6eap.noarch.rpm\neap7-wildfly-modules-7.2.9-4.GA_redhat_00003.1.el6eap.noarch.rpm\neap7-wildfly-transaction-client-1.1.11-1.Final_redhat_00001.1.el6eap.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n8. References:\n\nhttps://access.redhat.com/security/cve/CVE-2019-14900\nhttps://access.redhat.com/security/cve/CVE-2020-1695\nhttps://access.redhat.com/security/cve/CVE-2020-1710\nhttps://access.redhat.com/security/cve/CVE-2020-1748\nhttps://access.redhat.com/security/cve/CVE-2020-6950\nhttps://access.redhat.com/security/cve/CVE-2020-8840\nhttps://access.redhat.com/security/cve/CVE-2020-9546\nhttps://access.redhat.com/security/cve/CVE-2020-9547\nhttps://access.redhat.com/security/cve/CVE-2020-9548\nhttps://access.redhat.com/security/cve/CVE-2020-10672\nhttps://access.redhat.com/security/cve/CVE-2020-10673\nhttps://access.redhat.com/security/cve/CVE-2020-10683\nhttps://access.redhat.com/security/cve/CVE-2020-10687\nhttps://access.redhat.com/security/cve/CVE-2020-10693\nhttps://access.redhat.com/security/cve/CVE-2020-10714\nhttps://access.redhat.com/security/cve/CVE-2020-10718\nhttps://access.redhat.com/security/cve/CVE-2020-10740\nhttps://access.redhat.com/security/cve/CVE-2020-14297\nhttps://access.redhat.com/security/cve/CVE-2020-14307\nhttps://access.redhat.com/security/updates/classification/#important\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/\nhttps://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/\n\n9. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBX1Ywt9zjgjWX9erEAQiZDRAAprGv8Mph7MMT8HzJy9Y8b4SDGcBPTgYT\nVhgK05QvGC72fqOruBW4Dc5QahYeuv/DG3IluGUpbfIgDAlkcr0MR4fT2RlZiKAv\nxXq1ICOB5w7gRqWl5LsKd5o1L94DcbYIdj/4VUjmEqIK1aXgC/Llo3OTxk6gCVFM\nv7YerH6EkRF+1kozD3FWSDrCek5Li1gdKOzOqBEz1i+YWhf3uU0RspBQHWhOfUXx\nQ3mDiuxXux/1lZ/hYEPGp8ZhR/TfxRyWu7DMbr9yskZqDLvMsEBtUmGUW1oPeptd\npSNT+UaFhvqvI1J4jiqMbeMVCI153ltBazKTi6vTtkcsLycTUV97cr1g2PBycG+y\nlz/j/kZ7DZkFp8MRihs50BZRyyB6YsgXr0kptcpqR2/R8k7kEqj3YtpIYx3i9Nv+\nJL+BONnMi8a4UtXrMZTXCoJzpzf8Xe6IKECvsCGSf194exkKvN+sWq/qaGFc31bf\nFMxkenPBT80nZRdwRi3LEiqB+y/opqFqGoFzE+d0wlz3c0eKIZRq/ugQ8byuoQMf\nvbrj9deHW8zB2/VyD7+KLAE9GxdhlgfJdfm2J1Zmw0JAMG+++vl9y8w6RzSizcIJ\n9BNcdn6DZd9IDYSas7pilWEoDxNf8w75d8tgJPEjRUmVbrhbQmVtoyfyYcnh2Peb\n4wPUU/UtcIU=\n=AJRX\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. Summary:\n\nThis is a security update for JBoss EAP Continuous Delivery 20",
"sources": [
{
"db": "NVD",
"id": "CVE-2020-10683"
},
{
"db": "VULHUB",
"id": "VHN-163186"
},
{
"db": "VULMON",
"id": "CVE-2020-10683"
},
{
"db": "PACKETSTORM",
"id": "159544"
},
{
"db": "PACKETSTORM",
"id": "160562"
},
{
"db": "PACKETSTORM",
"id": "159924"
},
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "159081"
},
{
"db": "PACKETSTORM",
"id": "159015"
},
{
"db": "PACKETSTORM",
"id": "159082"
}
],
"trust": 1.71
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-163186",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-163186"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2020-10683",
"trust": 2.5
},
{
"db": "PACKETSTORM",
"id": "159083",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "160562",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "159544",
"trust": 0.8
},
{
"db": "PACKETSTORM",
"id": "159015",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-202004-1133",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "159921",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "158891",
"trust": 0.7
},
{
"db": "PACKETSTORM",
"id": "158916",
"trust": 0.7
},
{
"db": "AUSCERT",
"id": "ESB-2020.2837",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.4464",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2087",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2826",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.1581",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2023.3781",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3894",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.2992",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3742",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3513",
"trust": 0.6
},
{
"db": "AUSCERT",
"id": "ESB-2020.3065",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021042542",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021072165",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2022072096",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021042642",
"trust": 0.6
},
{
"db": "CS-HELP",
"id": "SB2021072747",
"trust": 0.6
},
{
"db": "NSFOCUS",
"id": "47453",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "159081",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "159924",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "159082",
"trust": 0.2
},
{
"db": "PACKETSTORM",
"id": "158881",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "159080",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158889",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "158884",
"trust": 0.1
},
{
"db": "CNVD",
"id": "CNVD-2020-33467",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-163186",
"trust": 0.1
},
{
"db": "VULMON",
"id": "CVE-2020-10683",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-163186"
},
{
"db": "VULMON",
"id": "CVE-2020-10683"
},
{
"db": "PACKETSTORM",
"id": "159544"
},
{
"db": "PACKETSTORM",
"id": "160562"
},
{
"db": "PACKETSTORM",
"id": "159924"
},
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "159081"
},
{
"db": "PACKETSTORM",
"id": "159015"
},
{
"db": "PACKETSTORM",
"id": "159082"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-1133"
},
{
"db": "NVD",
"id": "CVE-2020-10683"
}
]
},
"id": "VAR-202005-1054",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-163186"
}
],
"trust": 0.01
},
"last_update_date": "2024-09-19T21:52:11.531000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "dom4j Fixes for code issue vulnerabilities",
"trust": 0.6,
"url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=116859"
},
{
"title": "Debian CVElist Bug Report Logs: dom4j: CVE-2020-10683: XML External Entity vulnerability in default SAX parser",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=92018ce9305762cd7f6c51b2cc808332"
},
{
"title": "Red Hat: Moderate: Red Hat Decision Manager 7.9.0 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20204960 - Security Advisory"
},
{
"title": "Red Hat: Moderate: Red Hat Process Automation Manager 7.9.0 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20204961 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.3.2 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203463 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.3.2 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203461 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.3.2 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203462 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.3.2 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203464 - Security Advisory"
},
{
"title": "Red Hat: Important: EAP Continuous Delivery Technical Preview Release 20 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203585 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat Single Sign-On 7.4.2 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203501 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 6 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203637 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 8 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203639 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.9 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203642 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.2.9 on RHEL 7 security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20203638 - Security Advisory"
},
{
"title": "Red Hat: Important: Red Hat Fuse 7.8.0 release and security update",
"trust": 0.1,
"url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20205568 - Security Advisory"
},
{
"title": "PHunter",
"trust": 0.1,
"url": "https://github.com/Anonymous-Phunter/PHunter "
},
{
"title": "PHunter",
"trust": 0.1,
"url": "https://github.com/CGCL-codes/PHunter "
}
],
"sources": [
{
"db": "VULMON",
"id": "CVE-2020-10683"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-1133"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-611",
"trust": 1.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-163186"
},
{
"db": "NVD",
"id": "CVE-2020-10683"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.4,
"url": "https://www.oracle.com/security-alerts/cpuapr2021.html"
},
{
"trust": 2.4,
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"trust": 2.4,
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"trust": 2.4,
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"trust": 2.4,
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"trust": 1.8,
"url": "https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658"
},
{
"trust": 1.8,
"url": "https://github.com/dom4j/dom4j/releases/tag/version-2.1.3"
},
{
"trust": 1.8,
"url": "https://security.netapp.com/advisory/ntap-20200518-0002/"
},
{
"trust": 1.8,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694235"
},
{
"trust": 1.8,
"url": "https://cheatsheetseries.owasp.org/cheatsheets/xml_external_entity_prevention_cheat_sheet.html"
},
{
"trust": 1.8,
"url": "https://github.com/dom4j/dom4j/commits/version-2.0.3"
},
{
"trust": 1.8,
"url": "https://github.com/dom4j/dom4j/issues/87"
},
{
"trust": 1.8,
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"trust": 1.8,
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"trust": 1.8,
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00061.html"
},
{
"trust": 1.8,
"url": "https://usn.ubuntu.com/4575-1/"
},
{
"trust": 1.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10683"
},
{
"trust": 1.2,
"url": "https://access.redhat.com/security/cve/cve-2020-10683"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8%40%3cdev.velocity.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32%40%3cdev.velocity.apache.org%3e"
},
{
"trust": 1.1,
"url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51%40%3cnotifications.freemarker.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/rb1b990d7920ae0d50da5109b73b92bab736d46c9788dd4b135cb1a51@%3cnotifications.freemarker.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/r91c64cd51e68e97d524395474eaa25362d564572276b9917fcbf5c32@%3cdev.velocity.apache.org%3e"
},
{
"trust": 0.7,
"url": "https://lists.apache.org/thread.html/r51f3f9801058e47153c0ad9bc6209d57a592fc0e7aefd787760911b8@%3cdev.velocity.apache.org%3e"
},
{
"trust": 0.6,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-14900"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.6,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.6,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.6,
"url": "https://access.redhat.com/security/cve/cve-2019-14900"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3513/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2023.3781"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/160562/red-hat-security-advisory-2020-5568-01.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022072096"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2992/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/159544/ubuntu-security-notice-usn-4575-1.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.4464/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2087/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/159015/red-hat-security-advisory-2020-3585-01.html"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021072165"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/159921/red-hat-security-advisory-2020-4960-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2837/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/support/pages/node/6525182"
},
{
"trust": 0.6,
"url": "https://www.oracle.com/security-alerts/cpujul2021.html"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158916/red-hat-security-advisory-2020-3501-01.html"
},
{
"trust": 0.6,
"url": "http://www.nsfocus.net/vulndb/47453"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3894/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.1581/"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletinibm-resilient-soar-is-using-components-with-known-vulnerabilities-dom4j-cve-2020-10683/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/158891/red-hat-security-advisory-2020-3463-01.html"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-jquery-spring-dom4j-mongodb-linux-kernel-targetcli-fb-jackson-node-js-and-apache-commons-affect-ibm-spectrum-protect-plus/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021042542"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021072747"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2021042642"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.2826/"
},
{
"trust": 0.6,
"url": "https://vigilance.fr/vulnerability/dom4j-external-xml-entity-injection-via-saxreader-32161"
},
{
"trust": 0.6,
"url": "https://www.ibm.com/blogs/psirt/security-bulletin-dom4j-as-used-by-ibm-qradar-siem-contains-multiple-vulnerabilities-cve-2018-1000632-cve-2020-10683/"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3742/"
},
{
"trust": 0.6,
"url": "https://packetstormsecurity.com/files/159083/red-hat-security-advisory-2020-3642-01.html"
},
{
"trust": 0.6,
"url": "https://www.auscert.org.au/bulletins/esb-2020.3065/"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10740"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-10740"
},
{
"trust": 0.5,
"url": "https://access.redhat.com/security/cve/cve-2020-10714"
},
{
"trust": 0.5,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10714"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10693"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2020-10693"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1748"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2020-1748"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2020-6950"
},
{
"trust": 0.4,
"url": "https://access.redhat.com/security/cve/cve-2020-10673"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-6950"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10673"
},
{
"trust": 0.3,
"url": "https://issues.jboss.org/):"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1710"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-9547"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-1695"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-9546"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9547"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14297"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-10672"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10687"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-9548"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-14297"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1695"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9548"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-8840"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10672"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-9546"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-8840"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-10687"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-14307"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-14307"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-1710"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/cve/cve-2020-10718"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10718"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-1719"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-17566"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11612"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2019-17566"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-11612"
},
{
"trust": 0.2,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1954"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/cve/cve-2020-1954"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://cwe.mitre.org/data/definitions/611.html"
},
{
"trust": 0.1,
"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=958055"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
},
{
"trust": 0.1,
"url": "https://usn.ubuntu.com/4575-1"
},
{
"trust": 0.1,
"url": "https://launchpad.net/ubuntu/+source/dom4j/1.6.1+dfsg.3-2ubuntu1.1"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.8/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.fuse\u0026version=7.8.0"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12406"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11973"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11972"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-2692"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9488"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-1000873"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11989"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-13990"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11980"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11972"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1950"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-12406"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11989"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-3774"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0210"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11980"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1960"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-0205"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1393"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11971"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-1000873"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-7226"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10219"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-9489"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-14326"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13692"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-0210"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10202"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10202"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-13990"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3773"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-13692"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-11994"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10219"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11973"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1714"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-5398"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-11777"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-13933"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-12423"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-3774"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-17638"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-12423"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-17638"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-2692"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-19343"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11994"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-11971"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-19343"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:5568"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-3773"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-0205"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-11777"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2875"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2934"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2933"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:4961"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-1945"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1945"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2875"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-2934"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-2933"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/red_hat_process_automation_manager/7.9/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=rhpam\u0026version=7.9.0"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3642"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3637"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2019-10172"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3585"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product\\xeap-cd\u0026version"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10719"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-1719"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-10705"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2019-10172"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2020-10705"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2020-10719"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform_continuous_delivery/20/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2018-14371"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2018-14371"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/errata/rhsa-2020:3638"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-163186"
},
{
"db": "VULMON",
"id": "CVE-2020-10683"
},
{
"db": "PACKETSTORM",
"id": "159544"
},
{
"db": "PACKETSTORM",
"id": "160562"
},
{
"db": "PACKETSTORM",
"id": "159924"
},
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "159081"
},
{
"db": "PACKETSTORM",
"id": "159015"
},
{
"db": "PACKETSTORM",
"id": "159082"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-1133"
},
{
"db": "NVD",
"id": "CVE-2020-10683"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-163186"
},
{
"db": "VULMON",
"id": "CVE-2020-10683"
},
{
"db": "PACKETSTORM",
"id": "159544"
},
{
"db": "PACKETSTORM",
"id": "160562"
},
{
"db": "PACKETSTORM",
"id": "159924"
},
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "159081"
},
{
"db": "PACKETSTORM",
"id": "159015"
},
{
"db": "PACKETSTORM",
"id": "159082"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-1133"
},
{
"db": "NVD",
"id": "CVE-2020-10683"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2020-05-01T00:00:00",
"db": "VULHUB",
"id": "VHN-163186"
},
{
"date": "2020-05-01T00:00:00",
"db": "VULMON",
"id": "CVE-2020-10683"
},
{
"date": "2020-10-14T16:51:24",
"db": "PACKETSTORM",
"id": "159544"
},
{
"date": "2020-12-16T18:17:52",
"db": "PACKETSTORM",
"id": "160562"
},
{
"date": "2020-11-06T15:18:46",
"db": "PACKETSTORM",
"id": "159924"
},
{
"date": "2020-09-07T16:39:48",
"db": "PACKETSTORM",
"id": "159083"
},
{
"date": "2020-09-07T16:38:23",
"db": "PACKETSTORM",
"id": "159081"
},
{
"date": "2020-08-31T16:22:15",
"db": "PACKETSTORM",
"id": "159015"
},
{
"date": "2020-09-07T16:39:28",
"db": "PACKETSTORM",
"id": "159082"
},
{
"date": "2020-04-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-1133"
},
{
"date": "2020-05-01T19:15:12.927000",
"db": "NVD",
"id": "CVE-2020-10683"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-07-25T00:00:00",
"db": "VULHUB",
"id": "VHN-163186"
},
{
"date": "2023-11-07T00:00:00",
"db": "VULMON",
"id": "CVE-2020-10683"
},
{
"date": "2023-07-04T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202004-1133"
},
{
"date": "2023-11-07T03:14:11.907000",
"db": "NVD",
"id": "CVE-2020-10683"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "159544"
},
{
"db": "PACKETSTORM",
"id": "160562"
},
{
"db": "PACKETSTORM",
"id": "159924"
},
{
"db": "PACKETSTORM",
"id": "159083"
},
{
"db": "PACKETSTORM",
"id": "159081"
},
{
"db": "PACKETSTORM",
"id": "159015"
},
{
"db": "PACKETSTORM",
"id": "159082"
},
{
"db": "CNNVD",
"id": "CNNVD-202004-1133"
}
],
"trust": 1.3
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "dom4j Code problem vulnerability",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-1133"
}
],
"trust": 0.6
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202004-1133"
}
],
"trust": 0.6
}
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.