Resteasy Security Vulnerabilities and Issues — Resteasy CVE List

Lucene search

RedhatResteasy

18 matches found

CVE•added 2021/03/26 5:15 p.m.•198 views

CVE-2021-20289

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highe...

5.3CVSS5.3AI score0.00089EPSS

CVE•added 2023/02/17 10:15 p.m.•187 views

CVE-2023-0482

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

5.5CVSS5AI score0.00038EPSS

CVE•added 2020/05/19 3:15 p.m.•167 views

CVE-2020-1695

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unex...

7.5CVSS7.1AI score0.00397EPSS

CVE•added 2021/05/27 7:15 p.m.•137 views

CVE-2020-10688

A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.

6.1CVSS5.7AI score0.00432EPSS

CVE•added 2020/09/18 7:15 p.m.•135 views

CVE-2020-25633

A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data conf...

5.3CVSS5AI score0.0034EPSS

CVE•added 2018/03/09 8:29 p.m.•130 views

CVE-2016-9606

JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.

8.1CVSS8.1AI score0.00772EPSS

CVE•added 2021/06/10 12:15 p.m.•123 views

CVE-2021-20293

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The high...

6.1CVSS5.6AI score0.002EPSS

CVE•added 2014/08/19 6:55 p.m.•109 views

CVE-2014-3490

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and hav...

7.5CVSS9.4AI score0.04646EPSS

CVE•added 2016/09/07 6:59 p.m.•106 views

CVE-2016-6346

RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors.

7.5CVSS7.2AI score0.02017EPSS

CVE•added 2021/05/26 9:15 p.m.•101 views

CVE-2020-25724

A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.

4.3CVSS4.3AI score0.00132EPSS

CVE•added 2021/06/02 12:15 p.m.•100 views

CVE-2020-14326

A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.

7.5CVSS7.1AI score0.00499EPSS

CVE•added 2012/11/23 8:55 p.m.•94 views

CVE-2012-0818

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.

5CVSS9.2AI score0.01376EPSS

CVE•added 2018/01/25 8:29 p.m.•81 views

CVE-2018-1051

It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via Yaml.load() in YamlProvider.

8.1CVSS7.9AI score0.00772EPSS

CVE•added 2012/11/23 8:55 p.m.•78 views

CVE-2011-5245

The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CV...

5CVSS9.2AI score0.01376EPSS

CVE•added 2014/11/25 3:59 p.m.•74 views

CVE-2014-7839

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

6.4CVSS7.7AI score0.01262EPSS

CVE•added 2017/04/20 5:59 p.m.•64 views

CVE-2016-6347

Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

6.1CVSS5.9AI score0.002EPSS

CVE•added 2016/09/07 6:59 p.m.•62 views

CVE-2016-6345

RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random values" in async jobs.

6.5CVSS5.9AI score0.00147EPSS

CVE•added 2017/04/12 10:59 p.m.•55 views

CVE-2016-6348

JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.

6.1CVSS6AI score0.00283EPSS