Skip to main content

Resteasy CVE-2021-20293

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2021-06-10 secalert@redhat.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jun 10, 2021 - 12:15 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 461 maven packages depend on org.jboss.resteasy:resteasy-core (28 direct, 433 indirect)

Ecosystem-wide dependent count for version 4.6.0.Final.

DescriptionNVD

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

AnalysisAI

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity. Affected products include: Redhat Resteasy, Netapp Oncommand Insight. Version information: up to 4.6.0..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2014-3490 HIGH
7.5 Aug 19

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3

CVE-2018-1051 HIGH
8.1 Jan 25

It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Restea

CVE-2016-6346 HIGH
7.5 Sep 07

RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors. Ra

CVE-2020-1695 HIGH
7.5 May 19

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Fin

CVE-2014-7839 MEDIUM
6.4 Nov 25

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parame

CVE-2016-6345 MEDIUM
6.5 Sep 07

RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random val

CVE-2016-6348 MEDIUM
6.1 Apr 12

JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.

CVE-2016-6347 MEDIUM
6.1 Apr 20

Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject

CVE-2023-0482 MEDIUM
5.5 Feb 17

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround clas

CVE-2021-20289 MEDIUM
5.3 Mar 26

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. Rated medium severity (CVSS 5.3), this vulne

CVE-2020-25633 MEDIUM
5.3 Sep 18

A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. Rated medium severity (CVSS 5.3), thi

CVE-2012-0818 MEDIUM
5.0 Nov 23

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document

Share

CVE-2021-20293 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy