RHSA-2020:3585: Important: EAP Continuous Delivery Technical Preview Release 20 security update

Red Hat JBoss Enterprise Application Platform CD20 is a platform for Java applications based on the WildFly application runtime.This release of Red Hat JBoss Enterprise Application Platform CD20 includes bug fixes and enhancements. Security Fix(es): jsf-impl: mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter (CVE-2018-14371) jackson-mapper-asl: XML external entity similar to CVE-2016-3720 (CVE-2019-10172) hibernate-core: hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900) jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution (CVE-2020-10673) dom4j: XML External Entity vulnerability in default SAX parser (CVE-2020-10683) undertow: Memory exhaustion issue in HttpReadListener via "Expect: 100-continue" header (CVE-2020-10705) wildfly-elytron: session fixation when using FORM authentication (CVE-2020-10714) undertow: invalid HTTP request with large chunk size (CVE-2020-10719) wildfly: unsafe deserialization in Wildfly Enterprise Java Beans (CVE-2020-10740) netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612) wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain (CVE-2020-1719) cxf-core: cxf: JMX integration is vulnerable to a MITM attack (CVE-2020-1954) jsf-impl: Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.