CVE-2017-7561
resteasy: Vary header not added by CORS filter leading to cache poisoning
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.
Red Hat JBoss EAP en su versión 3.0.7 hasta antes de la versión 4.0.0.Beta1 es vulnerable a un envenenamiento de la caché por parte del servidor o a peticiones CORS en el componente JAX-RS, resultando en un impacto moderado.
It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 7.0.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.0.8, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that Apache Lucene would accept an object from an unauthenticated user that could be manipulated through subsequent post requests. An attacker could use this flaw to assemble an object that could permit execution of arbitrary code if the server enabled Apache Solr's Config API.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2017-04-05 CVE Reserved
- 2017-09-13 CVE Published
- 2024-09-16 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-345: Insufficient Verification of Data Authenticity
- CWE-346: Origin Validation Error
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/100465 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://issues.jboss.org/browse/RESTEASY-1704 | 2019-10-03 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:0002 | 2019-10-03 | |
| https://access.redhat.com/errata/RHSA-2018:0003 | 2019-10-03 | |
| https://access.redhat.com/errata/RHSA-2018:0004 | 2019-10-03 | |
| https://access.redhat.com/errata/RHSA-2018:0005 | 2019-10-03 | |
| https://access.redhat.com/errata/RHSA-2018:0478 | 2019-10-03 | |
| https://access.redhat.com/errata/RHSA-2018:0479 | 2019-10-03 | |
| https://access.redhat.com/errata/RHSA-2018:0480 | 2019-10-03 | |
| https://access.redhat.com/errata/RHSA-2018:0481 | 2019-10-03 | |
| https://access.redhat.com/security/cve/CVE-2017-7561 | 2018-03-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1483823 | 2018-03-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.0.7 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.0.7" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.0.8 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.0.8" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.1.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.1.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.1.2 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.1.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.1.4 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.1.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.1.5 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.1.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.2.3 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.2.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.2.4 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.2.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.2.5 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.2.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.2.9 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.2.9" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.2.13 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.2.13" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 3.5.1 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "3.5.1" | - |
Affected
| ||||||