CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0482 – RESTEasy: creation of insecure temp files
https://notcve.org/view.php?id=CVE-2023-0482
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user. • https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56 https://security.netapp.com/advisory/ntap-20230427-0001 https://access.redhat.com/security/cve/CVE-2023-0482 https://bugzilla.redhat.com/show_bug.cgi?id=2166004 • CWE-378: Creation of Temporary File With Insecure Permissions •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20293 – RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack
https://notcve.org/view.php?id=CVE-2021-20293
A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo de tipo Cross-Site Scripting (XSS) reflejado en RESTEasy en todas las versiones de RESTEasy hasta la 4.6.0.Final, donde no se manejaba apropiadamente la codificación de la URL cuando se llamaba al parámetro @javax.ws.rs.PathParam sin ningún parámetro @Produces MediaType. Este fallo permite a un atacante iniciar un ataque de tipo XSS reflejado. • https://bugzilla.redhat.com/show_bug.cgi?id=1942819 https://security.netapp.com/advisory/ntap-20210727-0005 https://access.redhat.com/security/cve/CVE-2021-20293 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2020-25724 – resteasy: information disclosure via HTTP response reuse
https://notcve.org/view.php?id=CVE-2020-25724
A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected. Se encontró un fallo en RESTEasy, donde es proporcionada una respuesta incorrecta para una petición HTTP. • https://bugzilla.redhat.com/show_bug.cgi?id=1899354 https://security.netapp.com/advisory/ntap-20210702-0003 https://access.redhat.com/security/cve/CVE-2020-25724 • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20289 – resteasy: Error message exposes endpoint class information
https://notcve.org/view.php?id=CVE-2021-20289
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality. Se detectó un fallo en RESTEasy en todas las versiones de RESTEasy hasta 4.6.0.Final. Los nombres de métodos y clases de endpoint son devueltos como parte de la respuesta de excepción cuando RESTEasy no puede convertir uno de los valores de consulta o ruta del URI de petición a el valor del parámetro de método del recurso JAX-RS correspondiente. • https://bugzilla.redhat.com/show_bug.cgi?id=1935927 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2021-20289 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-25633 – resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling
https://notcve.org/view.php?id=CVE-2020-25633
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo en el cliente RESTEasy en todas las versiones de RESTEasy hasta 4.5.6.Final. Puede permitir a usuarios del cliente obtener información potencialmente confidencial del servidor cuando el servidor obtuvo una WebApplicationException de la llamada del cliente RESTEasy. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633 https://access.redhat.com/security/cve/CVE-2020-25633 https://bugzilla.redhat.com/show_bug.cgi?id=1879042 • CWE-209: Generation of Error Message Containing Sensitive Information •