CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0482 – RESTEasy: creation of insecure temp files
https://notcve.org/view.php?id=CVE-2023-0482
17 Feb 2023 — In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user. Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user a... • https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56 • CWE-378: Creation of Temporary File With Insecure Permissions •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20293 – RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack
https://notcve.org/view.php?id=CVE-2021-20293
10 Jun 2021 — A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo de tipo Cross-Site Scripting (XSS) reflejado en RESTEasy en todas las versiones de RESTEasy hasta la 4.6.0.Fin... • https://bugzilla.redhat.com/show_bug.cgi?id=1942819 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25724 – resteasy: information disclosure via HTTP response reuse
https://notcve.org/view.php?id=CVE-2020-25724
29 Mar 2021 — A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected. Se encontró un fallo en RESTEasy, donde es proporcionada una respuesta incorrecta para una petición HTTP. • https://bugzilla.redhat.com/show_bug.cgi?id=1899354 • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20289 – resteasy: Error message exposes endpoint class information
https://notcve.org/view.php?id=CVE-2021-20289
26 Mar 2021 — A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality. Se detectó un fallo en RESTEasy en todas las versiones de RESTEasy hasta 4.6.0.Final. Los nombres de métodos y clases de endpoint son devueltos co... • https://bugzilla.redhat.com/show_bug.cgi?id=1935927 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-25633 – resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling
https://notcve.org/view.php?id=CVE-2020-25633
18 Sep 2020 — A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo en el cliente RESTEasy en todas las versiones de RESTEasy hasta 4.5.6.Final. Puede permitir a usuarios del cliente obtener información potencialmente confidencial del servido... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-14326 – RESTEasy: Caching routes in RootNode may result in DoS
https://notcve.org/view.php?id=CVE-2020-14326
30 Jul 2020 — A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service. Se encontrado una vulnerabilidad en RESTEasy, donde RootNode almacena incorrectamente las rutas en caché. Este problema resulta en una inundación de hash, lo que conlleva a una ralentización de las peticiones con un mayor tiempo de CPU dedicado a bu... • https://bugzilla.redhat.com/show_bug.cgi?id=1855826 • CWE-400: Uncontrolled Resource Consumption CWE-407: Inefficient Algorithmic Complexity •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 1CVE-2020-10688 – RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack
https://notcve.org/view.php?id=CVE-2020-10688
28 May 2020 — A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. Se encontró un fallo de tipo cross-site scripting (XSS) en RESTEasy en versiones anteriores a 3.11.1.Final y anteriores a 4.5.3.Final, donde no manejaba apropiadamente la codificación de URL cuando ocurre la excepción RESTEASY003870. Un atac... • https://bugzilla.redhat.com/show_bug.cgi?id=1814974 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2020-1695 – resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
https://notcve.org/view.php?id=CVE-2020-1695
12 May 2020 — A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed. Se detectó un fallo en todas las versiones de resteasy 3.xx anteriores a 3.12.0.Final y en todas las versiones de resteasy 4.xx anteriores a 4.6.0.Final, dond... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1695 • CWE-20: Improper Input Validation •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1051
https://notcve.org/view.php?id=CVE-2018-1051
25 Jan 2018 — It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider. Se descubrió que la solución para CVE-2016-9606 en las versiones 3.0.22 y 3.1.2 era incompleta y sigue siendo posible deserializar Yaml en Resteasy mediante la función Yaml.load() en YamlProvider. • https://bugzilla.redhat.com/show_bug.cgi?id=1535411 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 0CVE-2016-9606 – Resteasy: Yaml unmarshalling vulnerable to RCE
https://notcve.org/view.php?id=CVE-2016-9606
19 May 2017 — JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions. JBoss RESTEasy, en versiones anteriores a la 3.1.2, podría ser forzado a analizar una petición con YamlProvider, lo que resulta en la deserialización de datos potencialmente no fiables. Esto podría permitir que un atacante ejecute código arbitrario con permisos de a... • http://rhn.redhat.com/errata/RHSA-2017-1255.html • CWE-20: Improper Input Validation •