CVE-2020-1695 – resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
https://notcve.org/view.php?id=CVE-2020-1695
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed. Se detectó un fallo en todas las versiones de resteasy 3.xx anteriores a 3.12.0.Final y en todas las versiones de resteasy 4.xx anteriores a 4.6.0.Final, donde una comprobación de entrada inapropiada resulta en la devolución de un encabezado ilegal que se integra en la respuesta del servidor. Este fallo puede resultar en una inyección, lo que conlleva a un comportamiento inesperado cuando es construida la respuesta HTTP. A flaw was found in Resteasy, where an improper input validation results in returning an illegal header that integrates into the server's response. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1695 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RX22C6I56BJUER76IIPYHGZIWBQIU3CQ https://access.redhat.com/security/cve/CVE-2020-1695 https://bugzilla.redhat.com/show_bug.cgi?id=1730462 • CWE-20: Improper Input Validation •
CVE-2018-1051
https://notcve.org/view.php?id=CVE-2018-1051
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider. Se descubrió que la solución para CVE-2016-9606 en las versiones 3.0.22 y 3.1.2 era incompleta y sigue siendo posible deserializar Yaml en Resteasy mediante la función Yaml.load() en YamlProvider. • https://bugzilla.redhat.com/show_bug.cgi?id=1535411 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •