CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0482 – RESTEasy: creation of insecure temp files
https://notcve.org/view.php?id=CVE-2023-0482
17 Feb 2023 — In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user. Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user a... • https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56 • CWE-378: Creation of Temporary File With Insecure Permissions •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20293 – RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack
https://notcve.org/view.php?id=CVE-2021-20293
10 Jun 2021 — A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo de tipo Cross-Site Scripting (XSS) reflejado en RESTEasy en todas las versiones de RESTEasy hasta la 4.6.0.Fin... • https://bugzilla.redhat.com/show_bug.cgi?id=1942819 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25724 – resteasy: information disclosure via HTTP response reuse
https://notcve.org/view.php?id=CVE-2020-25724
29 Mar 2021 — A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected. Se encontró un fallo en RESTEasy, donde es proporcionada una respuesta incorrecta para una petición HTTP. • https://bugzilla.redhat.com/show_bug.cgi?id=1899354 • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20289 – resteasy: Error message exposes endpoint class information
https://notcve.org/view.php?id=CVE-2021-20289
26 Mar 2021 — A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality. Se detectó un fallo en RESTEasy en todas las versiones de RESTEasy hasta 4.6.0.Final. Los nombres de métodos y clases de endpoint son devueltos co... • https://bugzilla.redhat.com/show_bug.cgi?id=1935927 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-25633 – resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling
https://notcve.org/view.php?id=CVE-2020-25633
18 Sep 2020 — A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo en el cliente RESTEasy en todas las versiones de RESTEasy hasta 4.5.6.Final. Puede permitir a usuarios del cliente obtener información potencialmente confidencial del servido... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 1CVE-2020-10688 – RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack
https://notcve.org/view.php?id=CVE-2020-10688
28 May 2020 — A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. Se encontró un fallo de tipo cross-site scripting (XSS) en RESTEasy en versiones anteriores a 3.11.1.Final y anteriores a 4.5.3.Final, donde no manejaba apropiadamente la codificación de URL cuando ocurre la excepción RESTEASY003870. Un atac... • https://bugzilla.redhat.com/show_bug.cgi?id=1814974 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 2%CPEs: 1EXPL: 0CVE-2016-9606 – Resteasy: Yaml unmarshalling vulnerable to RCE
https://notcve.org/view.php?id=CVE-2016-9606
19 May 2017 — JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions. JBoss RESTEasy, en versiones anteriores a la 3.1.2, podría ser forzado a analizar una petición con YamlProvider, lo que resulta en la deserialización de datos potencialmente no fiables. Esto podría permitir que un atacante ejecute código arbitrario con permisos de a... • http://rhn.redhat.com/errata/RHSA-2017-1255.html • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 13EXPL: 0CVE-2012-0818 – RESTEasy: XML eXternal Entity (XXE) flaw
https://notcve.org/view.php?id=CVE-2012-0818
23 Nov 2012 — RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack. RESTEasy anterior a v2.3.1 permite a atacantes remotos leer archivos de su elección a través de una referencia de entidad externa en un documento DOM, también conocido como un ataque de inyección XML de entidad externa (XXE) Red Hat JBoss BPM Suite is a business rules management system for the management, storage, creation, modification,... • http://rhn.redhat.com/errata/RHSA-2012-0441.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.3EPSS: 0%CPEs: 14EXPL: 0CVE-2011-5245 – RESTEasy: XML eXternal Entity (XXE) flaw
https://notcve.org/view.php?id=CVE-2011-5245
23 Nov 2012 — The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818. La función ReadFrom en providers.jaxb.JAXBXmlTypeProvider en RESTEasy anterior a v2.3.2 permite a atacantes remotos leer archivos de su elección a través de una referencia de entidad externa en una en... • http://rhn.redhat.com/errata/RHSA-2012-0441.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •