During the whole thing about JBDS-3560, JBDS-3561 and JBDS-3562, Nick changed JBDS 9.1.0 to use the internal build of EAP 6.4.5 in the build process:
4.3.x branch:
https://github.com/jbdevstudio/jbdevstudio-product/commit/c8aea70202616dfd168e317510fc861bdc02ec82

And in master:
https://github.com/jbdevstudio/jbdevstudio-product/commit/6792edbfefcf54d4329519d21f8c29566d720b6e

I understand that some of the above mentioned JIRAs are not resolved yet, but I wanted to be sure to track this - we need to make sure not to bundle this build of EAP, because it's an internal build not supposed to be public. (Yes, the original assumption was that perhaps this time there would be an exception, but it turned out not to be the case.)

For JBDS 9.1.0.Beta1 I suggest we include the same patched EAP as discussed in JBDS-3562 . But it's kind of tricky how to make it obvious to users - I'm not sure if we want to include the CVE in the filename again.

But in any case, we can never include EAP 6.4.5 full build.