Jastow Cross-Site Scripting attack due to unsanitized URI
Summary
Jastow Cross-Site Scripting attack due to unsanitized URI. Red Hat rates this moderate (CVSS 6.5). Weakness: CWE-79. Affected package(s): eap8-elytron-web, eap8-jboss-ejb-client, eap8-jandex, eap8-javaee-security-soteria, eap8-jboss-dmr, eap8-fge-btf. Resolved in Red Hat advisory RHSA-2026:36343 — update the affected packages (`sudo dnf update`).
- eap8-elytron-web-0:4.1.2-1.Final_redhat_00001.1.el10eap
- eap8-jboss-ejb-client-0:5.0.8-1.Final_redhat_00001.1.el10eap
- eap8-jandex-0:3.2.7-1.redhat_00001.1.el10eap
- eap8-javaee-security-soteria-0:3.0.3-2.redhat_00001.1.el10eap
- eap8-jboss-dmr-0:1.7.0-2.Final_redhat_00001.1.el10eap
- eap8-fge-btf-0:1.2.0-4.redhat_00007.1.el10eap
- eap8-joda-time-0:2.12.7-1.redhat_00002.1.el10eap
- eap8-jakarta-resource-api-0:2.1.0-2.redhat_00001.1.el10eap
- eap8-jbossws-jaxws-undertow-httpspi-0:2.0.0-1.Final_redhat_00001.1.el10eap
- eap8-jackson-coreutils-0:1.8.0-3.redhat_00002.1.el10eap
- eap8-jgroups-aws-0:3.0.1-1.Final_redhat_00001.1.el10eap
- eap8-netty-0:4.1.132-1.Final_redhat_00001.1.el10eap
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- RHSA-2026:36343
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- It is possible to contruct successful attack vector if and only if customer or client is using embedded Undertow and Jastow together in their application and the following conditions are met: * Undertow was configured with UndertowOptions.ALLOW_UNESCAPED_CHARACTERS_IN_URL set to 'true' value * DeploymentInfo configured with setEscapeErrorMessage(true) method was passed to Undertow's Servlet Container instance
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.