redhat

resteasy

10 known vulnerabilities · sorted by CVSS score

CVE-2018-1051

It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.

redhat / resteasy+1

Network

Published Jan 25, 2018

CVE-2016-9606

HIGH8.1

JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.

redhat / resteasy

Network

Published Mar 9, 2018

CVE-2020-1695

HIGH7.5

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.

redhat / resteasy+3

Network

Published May 19, 2020

CVE-2020-14326

HIGH7.5

A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.

redhat / integration_camel_k+2

Network

Published Jun 2, 2021

CVE-2020-10688

MEDIUM6.1

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.

redhat / fuse+6

Network

Published May 27, 2021

CVE-2021-20293

MEDIUM6.1

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

redhat / resteasy+1

Network

Published Jun 10, 2021

CVE-2023-0482

MEDIUM5.5

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

redhat / resteasy+7

Local

Published Feb 17, 2023

CVE-2020-25633

MEDIUM5.3

A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.

redhat / resteasy+2

Network

Published Sep 18, 2020

CVE-2021-20289

MEDIUM5.3

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

redhat / resteasy+3

Network

Published Mar 26, 2021

CVE-2020-25724

MEDIUM4.3

A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.

redhat / resteasy+3

Network

Published May 26, 2021