CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0482 – RESTEasy: creation of insecure temp files
https://notcve.org/view.php?id=CVE-2023-0482
17 Feb 2023 — In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user. Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat Single Sign-On for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user a... • https://github.com/resteasy/resteasy/pull/3409/commits/807d7456f2137cde8ef7c316707211bf4e542d56 • CWE-378: Creation of Temporary File With Insecure Permissions •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20293 – RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack
https://notcve.org/view.php?id=CVE-2021-20293
10 Jun 2021 — A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo de tipo Cross-Site Scripting (XSS) reflejado en RESTEasy en todas las versiones de RESTEasy hasta la 4.6.0.Fin... • https://bugzilla.redhat.com/show_bug.cgi?id=1942819 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20289 – resteasy: Error message exposes endpoint class information
https://notcve.org/view.php?id=CVE-2021-20289
26 Mar 2021 — A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality. Se detectó un fallo en RESTEasy en todas las versiones de RESTEasy hasta 4.6.0.Final. Los nombres de métodos y clases de endpoint son devueltos co... • https://bugzilla.redhat.com/show_bug.cgi?id=1935927 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2020-25633 – resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling
https://notcve.org/view.php?id=CVE-2020-25633
18 Sep 2020 — A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo en el cliente RESTEasy en todas las versiones de RESTEasy hasta 4.5.6.Final. Puede permitir a usuarios del cliente obtener información potencialmente confidencial del servido... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25633 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.1EPSS: 0%CPEs: 12EXPL: 1CVE-2020-10688 – RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack
https://notcve.org/view.php?id=CVE-2020-10688
28 May 2020 — A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack. Se encontró un fallo de tipo cross-site scripting (XSS) en RESTEasy en versiones anteriores a 3.11.1.Final y anteriores a 4.5.3.Final, donde no manejaba apropiadamente la codificación de URL cuando ocurre la excepción RESTEASY003870. Un atac... • https://bugzilla.redhat.com/show_bug.cgi?id=1814974 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 0CVE-2016-9606 – Resteasy: Yaml unmarshalling vulnerable to RCE
https://notcve.org/view.php?id=CVE-2016-9606
19 May 2017 — JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions. JBoss RESTEasy, en versiones anteriores a la 3.1.2, podría ser forzado a analizar una petición con YamlProvider, lo que resulta en la deserialización de datos potencialmente no fiables. Esto podría permitir que un atacante ejecute código arbitrario con permisos de a... • http://rhn.redhat.com/errata/RHSA-2017-1255.html • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 1%CPEs: 2EXPL: 0CVE-2014-7839 – RESTeasy: External entities expanded by DocumentProvider
https://notcve.org/view.php?id=CVE-2014-7839
25 Nov 2014 — DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors. DocumentProvider en RESTEasy 2.3.7 y 3.0.9 no configura las caracteristicas (1) external-general-entities o (2) external-parameter-entities, lo que permite a atacantes remotos realizar ataques de entidad externa XML (XXE) a través de vectores no especificados. It was f... • http://rhn.redhat.com/errata/RHSA-2015-0675.html • CWE-20: Improper Input Validation CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 4%CPEs: 10EXPL: 0CVE-2014-3490 – RESTEasy: XXE via parameter entities
https://notcve.org/view.php?id=CVE-2014-3490
07 Aug 2014 — RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818. RESTEasy 2.3.1 anterior a 2.3.8.SP... • http://rhn.redhat.com/errata/RHSA-2014-1011.html • CWE-611: Improper Restriction of XML External Entity Reference •