18 matches found
CVE-2023-0482
RESTEasy CVE-2023-0482 involves creation of insecure temporary files via File.createTempFile() in DataSourceProvider, FileProvider, and Mime4JWorkaround. This local-privilege escalation vulnerability can allow an authenticated local attacker to gain elevated privileges by reading or accessing ins...
CVE-2021-20289
CVE-2021-20289 affects RESTEasy: REST endpoints reveal endpoint class and method names in exception responses when a URI path/query value cannot be mapped, potentially leaking sensitive information and impacting data confidentiality (highest threat: partial confidentiality). Affected: RESTEasy up...
CVE-2020-1695
CVE-2020-1695 affects RESTEasy, including all 3.x.x versions before 3.12.0.Final and 4.x.x versions before 4.6.0.Final. The issue arises from improper input validation that allows returning an illegal header in the server response, which may enable an injection or cause unexpected HTTP response c...
CVE-2020-10688
CVE-2020-10688 affects RESTEasy prior to 3.11.1.Final and 4.5.3.Final, where improper URL encoding during RESTEASY003870 exception handling enables a reflected XSS attack. The issue resides in the RESTEasy component and enables an attacker to execute script in a victim’s browser when user-supplie...
CVE-2020-25633
CVE-2020-25633 – RESTEasy client information disclosure . The issue affects RESTEasy’s client implementation (all versions up to 4.5.6.Final). When a server responds with a WebApplicationException during a RESTEasy client call, an attacker could potentially obtain the server’s sensitive informati...
CVE-2016-9606
CVE-2016-9606 affects JBoss RESTEasy before 3.1.2, where a request parsed with YamlProvider can trigger YAML unmarshalling of untrusted data, potentially allowing arbitrary code execution with RESTEasy application permissions. The connected Nessus entries note that the prior fix in 3.0.22 and 3.1...
CVE-2021-20293
CVE-2021-20293 affects RESTEasy (all versions up to 4.6.0.Final). The flaw is a reflected XSS caused by improper handling of URL encoding when using @javax.ws.rs.PathParam without an accompanying @Produces MediaType. Exploitation could lead to script execution in a victim’s browser, impacting dat...
CVE-2014-3490
CVE-2014-3490 affects RESTEasy used in Red Hat JBoss EAP 6.3.0 via RESTEasy 2.3.1–2.3.7 and 3.x before 3.0.9 when the parameter resteasy.document.expand.entity.references is not disabled. An XXE condition could allow remote attackers to read arbitrary local files and potentially other unspecified...
CVE-2016-6346
CVE-2016-6346 affects RESTEasy: enabling a vulnerable GZIP decompression path can cause a denial of service via unspecified vectors. The Ubuntu advisory USN-7630-1 documents RESTEasy vulnerabilities including CVE-2016-6346 and notes affected Ubuntu releases; Nessus/OSS advisories reference unpatc...
CVE-2020-14326
CVE-2020-14326 affects RESTEasy: RootNode caching of routes can trigger hash flooding, causing slower requests and higher CPU usage leading to DoS. The description confirms the vulnerability and impact but does not specify affected versions, vulnerable component details beyond RootNode routing ca...
CVE-2012-0818
RESTEasy vulnerable to XML External Entity (XXE) injection in DOM/XML processing prior to version 2.3.1, allowing remote attackers to read arbitrary files via an external entity reference. Root cause is improper handling of external entities in RESTEasy’s XML/DOM/JAXB processing (notably the JAXB...
CVE-2020-25724
RESTEasy CVE-2020-25724: A flaw causes an incorrect HTTP response which can lead to information disclosure and partial confidentiality impact. Affected are RESTEasy versions before 2.0.0.Alpha3. Exploitation details are not provided in the available documents; no explicit exploit vectors, mitiga...
CVE-2014-7839
CVE-2014-7839 affects RESTEasy DocumentProvider in RESTEasy 2.3.7 and 3.0.9, where missing configuration of external-general-entities and external-parameter-entities enables XML External Entity (XXE) attacks via unspecified vectors. The connected Red Hat advisories (RHSA-2015:0218) reference this...
CVE-2011-5245
CVE-2011-5245 affects RESTEasy (JBoss REST framework). The vulnerability arises in the readFrom function of providers.jaxb.JAXBXmlTypeProvider, allowing an XML External Entity (XXE) injection that lets an attacker read arbitrary files via an external entity reference in JAXB input. Affected versi...
CVE-2018-1051
CVE-2018-1051 concerns JBoss RESTEasy. The prior fix for CVE-2016-9606 was incomplete, and in RESTEasy versions 3.0.22 and 3.1.2 YAML unmarshalling via Yaml.load() in YamlProvider remains possible. This is documented in the CVE description and corroborated by Nessus/ERR sources noting an unpatche...
CVE-2016-6347
CVE-2016-6347 is a RESTEasy vulnerability described as a cross-site scripting (XSS) issue in the default exception handler. The available sources identify the affected component as RESTEasy, with the underlying cause being improper handling in the default exception handler that permits remote att...
CVE-2016-6345
RESTEasy vulnerability CVE-2016-6345 is confirmed in connected documents as a flaw where remote authenticated users could obtain sensitive information due to insufficient use of random values in asynchronous jobs. The Ubuntu advisory USN-7630-1 and related Nessus/OpenVAS entries reference this CV...
CVE-2016-6348
CVE-2016-6348 is reported in RESTEasy via the JacksonJsonpInterceptor and is described in connected advisories as enabling a cross-site script inclusion (XSSI) vulnerability. The Ubuntu USN and Tenable/NASL entries enumerate RESTEasy-related CVEs together and explicitly list CVE-2016-6348 among a...