The Fixes section of the Red Hat build of Quarkus 2.7 release notes includes CVE titles verbatim, some of which need enhancing to be more user-friendly and to incorporate RH style.

8.1. Security fixes

8.1.1. Quarkus 2.7.6

• QUARKUS-2076 CVE-2021-3520 LZ4: memory corruption due to an integer overflow bug caused by the memmove argument

• QUARKUS-1969 CVE-2020-36518 Jackson-databind: denial of service caused by a large depth of nested objects

8.1.2. Quarkus 2.7.5

• QUARKUS-1970 CVE-2021-43797 Netty: control chars in header names may lead to HTTP request smuggling

• QUARKUS-1902 CVE-2022-0981 Quarkus: privilege escalation vulnerability with RestEasy Reactive scope leakage in Quarkus

• QUARKUS-1842 CVE-2022-21724 PostgreSQL: jdbc-postgresql: Unchecked Class Instantiation when providing Plug-in Classes

• QUARKUS-1833 CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data

• QUARKUS-1832 CVE-2022-21363 MySQL-connector-java: Difficult to exploit vulnerability allows a high privileged attacker with network access by using multiple protocols to compromise MySQL Connectors

• QUARKUS-1372 CVE-2021-3914 Smallrye-health-ui: persistent cross-site scripting in endpoint

• QUARKUS-1029 CVE-2021-29429 Gradle: information disclosure through temporary directory permissions

• QUARKUS-993 CVE-2021-29428 Gradle: local privilege escalation through system temporary directory

• QUARKUS-992 CVE-2021-29427 Gradle: repository content filters do not work in Settings pluginManagement

• QUARKUS-800 CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads