CVE-2023-0482 – RESTEasy: creation of insecure temp files
https://notcve.org/view.php?id=CVE-2023-0482
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user. • https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56 https://security.netapp.com/advisory/ntap-20230427-0001 https://access.redhat.com/security/cve/CVE-2023-0482 https://bugzilla.redhat.com/show_bug.cgi?id=2166004 • CWE-378: Creation of Temporary File With Insecure Permissions •
CVE-2021-20293 – RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack
https://notcve.org/view.php?id=CVE-2021-20293
A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo de tipo Cross-Site Scripting (XSS) reflejado en RESTEasy en todas las versiones de RESTEasy hasta la 4.6.0.Final, donde no se manejaba apropiadamente la codificación de la URL cuando se llamaba al parámetro @javax.ws.rs.PathParam sin ningún parámetro @Produces MediaType. Este fallo permite a un atacante iniciar un ataque de tipo XSS reflejado. • https://bugzilla.redhat.com/show_bug.cgi?id=1942819 https://security.netapp.com/advisory/ntap-20210727-0005 https://access.redhat.com/security/cve/CVE-2021-20293 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-20289 – resteasy: Error message exposes endpoint class information
https://notcve.org/view.php?id=CVE-2021-20289
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality. Se detectó un fallo en RESTEasy en todas las versiones de RESTEasy hasta 4.6.0.Final. Los nombres de métodos y clases de endpoint son devueltos como parte de la respuesta de excepción cuando RESTEasy no puede convertir uno de los valores de consulta o ruta del URI de petición a el valor del parámetro de método del recurso JAX-RS correspondiente. • https://bugzilla.redhat.com/show_bug.cgi?id=1935927 https://www.oracle.com/security-alerts/cpuapr2022.html https://access.redhat.com/security/cve/CVE-2021-20289 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2020-25633 – resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling
https://notcve.org/view.php?id=CVE-2020-25633
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo en el cliente RESTEasy en todas las versiones de RESTEasy hasta 4.5.6.Final. Puede permitir a usuarios del cliente obtener información potencialmente confidencial del servidor cuando el servidor obtuvo una WebApplicationException de la llamada del cliente RESTEasy. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633 https://access.redhat.com/security/cve/CVE-2020-25633 https://bugzilla.redhat.com/show_bug.cgi?id=1879042 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2020-14326 – RESTEasy: Caching routes in RootNode may result in DoS
https://notcve.org/view.php?id=CVE-2020-14326
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service. Se encontrado una vulnerabilidad en RESTEasy, donde RootNode almacena incorrectamente las rutas en caché. Este problema resulta en una inundación de hash, lo que conlleva a una ralentización de las peticiones con un mayor tiempo de CPU dedicado a buscar y añadir la entrada. • https://bugzilla.redhat.com/show_bug.cgi?id=1855826 https://security.netapp.com/advisory/ntap-20210713-0001 https://access.redhat.com/security/cve/CVE-2020-14326 https://issues.redhat.com/secure/ReleaseNote.jspa?version=12346372&projectId=12310560 • CWE-400: Uncontrolled Resource Consumption CWE-407: Inefficient Algorithmic Complexity •