Skip to main content

Resteasy CVE-2021-20289

MEDIUM
Error Message Information Leak (CWE-209)
2021-03-26 secalert@redhat.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Mar 26, 2021 - 17:15 nvd
MEDIUM 5.3

DescriptionNVD

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

AnalysisAI

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-209. A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality. Affected products include: Redhat Resteasy, Netapp Oncommand Insight, Quarkus, Oracle Communications Cloud Native Core Console. Version information: up to 4.6.0..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2014-3490 HIGH
7.5 Aug 19

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3

CVE-2018-1051 HIGH
8.1 Jan 25

It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Restea

CVE-2016-6346 HIGH
7.5 Sep 07

RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors. Ra

CVE-2020-1695 HIGH
7.5 May 19

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Fin

CVE-2014-7839 MEDIUM
6.4 Nov 25

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parame

CVE-2016-6345 MEDIUM
6.5 Sep 07

RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random val

CVE-2016-6348 MEDIUM
6.1 Apr 12

JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.

CVE-2016-6347 MEDIUM
6.1 Apr 20

Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject

CVE-2021-20293 MEDIUM
6.1 Jun 10

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where i

CVE-2023-0482 MEDIUM
5.5 Feb 17

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround clas

CVE-2020-25633 MEDIUM
5.3 Sep 18

A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. Rated medium severity (CVSS 5.3), thi

CVE-2012-0818 MEDIUM
5.0 Nov 23

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document

Share

CVE-2021-20289 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy