Ted Jongseok Won

**Name of the Vulnerable Software and Affected Versions** Red Hat JBoss Core Services HTTP Server (affected versions not specified) **Description** A flaw was found in Red Hat JBoss Core Services HTTP Server where it does not properly normalize the path component of a request URL containing dot-dot-semicolon(s). This could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this issue is to data confidentiality and integrity. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Quarkus (affected versions not specified) **Description** A flaw in Quarkus allows the state and potentially associated permissions to leak from one web request to another in RestEasy Reactive. This issue enables a low-privileged user to perform operations on the database with a different set of privileges than intended. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: RESTEasy versions up to 4.6.0.Final Description: A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy, where it did not properly handle URL encoding when calling `@javax.ws.rs.PathParam` without any `@Produces` MediaType. This flaw allows an attacker to launch a reflected XSS attack, posing a threat to data confidentiality and integrity. Recommendations: For versions up to 4.6.0.Final, update to a version later than 4.6.0.Final to resolve the issue. As a temporary workaround, consider restricting the use of `@javax.ws.rs.PathParam` without any `@Produces` MediaType to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: SmallRye versions prior to 1.6.2 Description: A flaw in the API can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied, posing a threat to data confidentiality. Recommendations: For versions prior to 1.6.2, update to SmallRye 1.6.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WildFly Elytron versions 1.11.3.Final and earlier **Description** A flaw was found in WildFly Elytron when using FORM authentication with a session ID in the URL, allowing an attacker to perform a session fixation attack. This poses a threat to data confidentiality and integrity, as well as system availability. **Recommendations** For WildFly Elytron versions 1.11.3.Final and earlier, consider disabling the use of session IDs in URLs for FORM authentication until a patch is available. Restrict access to sensitive data and implement additional security measures to minimize the risk of session fixation attacks.