Mikhail Egorov

**Name of the Vulnerable Software and Affected Versions** Apache CXF versions prior to 3.0.12 Apache CXF versions 3.1.x prior to 3.1.9 **Description** The issue concerns the JAX-RS module in Apache CXF, which provides Atom JAX-RS MessageBodyReaders that utilize the Apache Abdera Parser. This parser expands XML entities by default, posing a significant XML External Entity (XXE) risk. **Recommendations** For Apache CXF versions prior to 3.0.12, update to version 3.0.12 or later. For Apache CXF versions 3.1.x prior to 3.1.9, update to version 3.1.9 or later.

**Name of the Vulnerable Software and Affected Versions** RESTEasy (affected versions not specified) **Description** A cross-site scripting (XSS) issue exists in the default exception handler of RESTEasy, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RESTEasy (affected versions not specified) **Description** The issue allows remote attackers to conduct a cross-site script inclusion (XSSI) attack, potentially affecting the security of the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat Enterprise Linux Desktop 7 (affected versions not specified) Red Hat Enterprise Linux HPC Node 7 (affected versions not specified) Red Hat Enterprise Linux Server 7 (affected versions not specified) Red Hat Enterprise Linux Workstation 7 (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary code via the SerializableProvider in RESTEasy. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WildFly version 10.0.0 Red Hat JBoss Enterprise Application Platform (EAP) versions prior to 7.0.2 **Description** A CRLF injection issue in the Undertow web server allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. **Recommendations** For WildFly version 10.0.0, update to a version that fixes the CRLF injection vulnerability. For Red Hat JBoss Enterprise Application Platform (EAP) versions prior to 7.0.2, update to version 7.0.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** RESTEasy (affected versions not specified) **Description** The issue allows remote authenticated users to obtain sensitive information by leveraging insufficient use of random values in async jobs. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RESTEasy (affected versions not specified) **Description** The issue allows remote attackers to cause a denial of service via unspecified vectors, due to the GZIPInterceptor being enabled. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Apache Jackrabbit versions 2.0.0 through 2.0.5 Apache Jackrabbit versions 2.2.x through 2.2.13 Apache Jackrabbit versions 2.4.x through 2.4.5 Apache Jackrabbit versions 2.6.x through 2.6.5 Apache Jackrabbit versions 2.8.x through 2.8.0 Apache Jackrabbit versions 2.10.x through 2.10.0 **Description** The issue allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request, exploiting an XML external entity (XXE) vulnerability. **Recommendations** For Apache Jackrabbit versions 2.0.0 through 2.0.5, update to version 2.0.6 or later. For Apache Jackrabbit versions 2.2.x through 2.2.13, update to version 2.2.14 or later. For Apache Jackrabbit versions 2.4.x through 2.4.5, update to version 2.4.6 or later. For Apache Jackrabbit versions 2.6.x through 2.6.5, update to version 2.6.6 or later. For Apache Jackrabbit versions 2.8.x through 2.8.0, update to version 2.8.1 or later. For Apache Jackrabbit versions 2.10.x through 2.10.0, update to version 2.10.1 or later.