Red Hat Resteasy
By the Year
In 2023 there have been 1 vulnerability in Red Hat Resteasy with an average score of 5.5 out of ten. Resteasy did not have any published security vulnerabilities last year. That is, 1 more vulnerability have already been reported in 2023 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2023 | 1 | 5.50 |
| 2022 | 0 | 0.00 |
| 2021 | 5 | 5.86 |
| 2020 | 2 | 6.40 |
| 2019 | 0 | 0.00 |
| 2018 | 1 | 8.10 |
It may take a day or so for new Resteasy vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Resteasy Security Vulnerabilities
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions
CVE-2023-0482
5.5 - Medium
- February 17, 2023
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.
A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final
CVE-2021-20293
6.1 - Medium
- June 10, 2021
A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.
XSS
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes
CVE-2020-14326
7.5 - High
- June 02, 2021
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.
A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final
CVE-2020-10688
6.1 - Medium
- May 27, 2021
A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
XSS
A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided
CVE-2020-25724
4.3 - Medium
- May 26, 2021
A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.
Unsynchronized Access to Shared Data in a Multithreaded Context
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final
CVE-2021-20289
5.3 - Medium
- March 26, 2021
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
Generation of Error Message Containing Sensitive Information
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final
CVE-2020-25633
5.3 - Medium
- September 18, 2020
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
Generation of Error Message Containing Sensitive Information
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final
CVE-2020-25633
5.3 - Medium
- September 18, 2020
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
Generation of Error Message Containing Sensitive Information
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header
CVE-2020-1695
7.5 - High
- May 19, 2020
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible
CVE-2018-1051
8.1 - High
- January 25, 2018
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.
Marshaling, Unmarshaling
RESTEasy before 2.3.1
CVE-2012-0818
- November 23, 2012
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
Information Disclosure
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Resteasy or by Red Hat? Click the Watch button to subscribe.
