Back to bug 1378613
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Jason Shepherd | 2016-09-22 23:37:47 UTC | Blocks | 1371804 | |
| Jason Shepherd | 2016-09-22 23:41:59 UTC | Depends On | 1378616 | |
| Jason Shepherd | 2016-09-22 23:43:23 UTC | Doc Text | Under certain conditions it's possible for an attacker to force the use of a SerializableProvider to parse a request in RESTEasy. An attacker can use this flaw to lauch a remote code execution attack. | |
| Jason Shepherd | 2016-09-22 23:45:51 UTC | Depends On | 1378618 | |
| Jason Shepherd | 2016-09-22 23:45:56 UTC | Depends On | 1378619 | |
| gil cattaneo | 2016-09-23 00:13:12 UTC | Fixed In Version | resteasy-3.0.17-1.fc24 | |
| Jason Shepherd | 2016-09-23 00:13:30 UTC | Whiteboard | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected,fedora-all/resteasy=affected | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected,fedora-all/resteasy=notaffected |
| Jason Shepherd | 2016-09-23 00:37:02 UTC | Whiteboard | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected,fedora-all/resteasy=notaffected | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected |
| Jason Shepherd | 2016-09-23 00:37:09 UTC | CC | bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dosoudil, jawilson, jshepherd, lgao, myarboro, pgier, psakar, pslavice, rnetuka, rsvoboda, twalsh, vtunka | |
| Jason Shepherd | 2016-09-23 00:37:31 UTC | Whiteboard | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=notaffected |
| Jason Shepherd | 2016-09-23 00:37:41 UTC | CC | aileenc, chazlett | |
| Jason Shepherd | 2016-09-23 00:38:01 UTC | Whiteboard | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=notaffected | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=notaffected,eap-6/resteasy=notaffected |
| Jason Shepherd | 2016-09-23 00:38:14 UTC | CC | fnasser, jason.greene, jboss-set | |
| gil cattaneo | 2016-09-23 03:09:02 UTC | CC | puntogil | |
| Martin Prpič | 2016-09-23 06:09:33 UTC | Fixed In Version | resteasy-3.0.17-1.fc24 | resteasy 3.0.17 |
| Tomas Hoger | 2016-09-23 06:49:35 UTC | Fixed In Version | resteasy 3.0.17 | |
| Summary | CVE-2016-7050 SerializableProvider in RESTEasy 3 before 3.0.15.Final is enabled by default and deserializes untrusted data | CVE-2016-7050 RESTEasy:SerializableProvider enabled by default and deserializes untrusted data | ||
| Eric Christensen | 2016-09-23 13:10:49 UTC | Doc Text | Under certain conditions it's possible for an attacker to force the use of a SerializableProvider to parse a request in RESTEasy. An attacker can use this flaw to lauch a remote code execution attack. | Under certain conditions it's possible for an attacker to force the use of a SerializableProvider to parse a request in RESTEasy. An attacker can use this flaw to launch a remote code execution attack. |
| Huzaifa S. Sidhpurwala | 2016-09-29 05:43:49 UTC | Flags | needinfo?(jshepherd) | |
| Jason Shepherd | 2016-09-29 06:20:15 UTC | Flags | needinfo?(jshepherd) | |
| Dhiru Kholia | 2016-09-29 09:29:43 UTC | CC | dkholia | |
| Jason Shepherd | 2016-09-30 05:41:25 UTC | Whiteboard | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=notaffected,eap-6/resteasy=notaffected | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected/impact=moderate/cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=notaffected,eap-6/resteasy=notaffected |
| Martin Prpič | 2016-11-02 11:07:00 UTC | Doc Text | Under certain conditions it's possible for an attacker to force the use of a SerializableProvider to parse a request in RESTEasy. An attacker can use this flaw to launch a remote code execution attack. | It was discovered that under certain conditions RESTEasy could be forced to parse a request with SerializableProvider, resulting in deserialization of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy. |
| Hooman Broujerdi | 2016-11-03 04:51:56 UTC | Whiteboard | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected/impact=moderate/cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=notaffected,eap-6/resteasy=notaffected | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected/impact=moderate/cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=affected,eap-6/resteasy=notaffected |
| Pavel Polischouk | 2016-11-03 16:27:13 UTC | CC | pavelp | |
| kat | 2016-11-17 22:27:35 UTC | CC | kbost | |
| Jason Shepherd | 2016-11-18 01:21:53 UTC | Whiteboard | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected/impact=moderate/cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=affected,eap-6/resteasy=notaffected | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected/impact=moderate/cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=notaffected,eap-6/resteasy=notaffected |
| Doran Moppert | 2017-08-04 03:14:19 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Whiteboard | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected/impact=moderate/cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=notaffected,eap-6/resteasy=notaffected | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected/cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P/impact=moderate,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=notaffected,eap-6/resteasy=notaffected | ||
| Last Closed | 2017-08-03 23:14:19 UTC | |||
| Product Security DevOps Team | 2019-09-29 13:57:05 UTC | Whiteboard | impact=important,public=20160923,reported=20160829,source=researcher,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,cvss3=9.0/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H,cwe=CWE-502,rhel-7/resteasy-base=affected/cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P/impact=moderate,fedora-all/resteasy=notaffected,eap-7/resteasy=notaffected,fuse-6/resteasy=notaffected,eap-6/resteasy=notaffected |
Back to bug 1378613