Bug 1372124 (CVE-2016-6347)
Summary: | CVE-2016-6347 RESTEasy: Use of the default exception handler in RESTEasy can lead to reflected XSS attack | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, alazarot, alee, aszczucz, bbaranow, bcourt, bdawidow, bkearney, bmaxwell, bmcclain, cbillett, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dblechte, dmoluguw, dosoudil, drieden, eedri, epp-bugs, etirelli, fnasser, gvarsami, huwang, java-sig-commits, jawilson, jboss-set, jbpapp-maint, jcoleman, jdg-bugs, jmatthew, jolee, jpallich, jshepherd, katello-bugs, kverlaen, ldimaggi, lgao, lsurette, lzap, mbaluch, mgoldboi, miburman, michal.skrivanek, mmccune, mstead, mweiler, mwinkler, myarboro, nwallace, ohadlevy, pdrozd, pgier, pkliczew, psakar, pslavice, puntogil, rcernich, rchan, Rhev-m-bugs, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, satellite6-bugs, soa-p-jira, sthorger, tcunning, theute, tkirby, tlestach, tomckay, tsanders, ttarrant, twalsh, vhalbert, vtunka, weli, ykaul |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | resteasy 3.1.0.CR1, resteasy 3.0.20.Final | Doc Type: | If docs needed, set a value |
Doc Text: |
It was found that the default exception handler in RESTEasy did not properly validate user input. An attacker could use this flaw to launch a relected XSS attack.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-21 00:54:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1372125, 1471277, 1471278, 1590941, 1914372 | ||
Bug Blocks: | 1371804, 1372141, 1372565, 1372568, 1372571 |
Description
Jason Shepherd
2016-09-01 01:09:47 UTC
Acknowledgments: Name: Mikhail Egorov (Odin) Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1372125] Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1471277] Statement: This issue affects the versions of RESTEasy as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having a security impact of Moderate. Additionally Red Hat Satellite does not use the default ExceptionMapper, and the custom exception handler does not allow return type of text/html. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1590941] The reported issue has been fixed by rebasing to resteasy 3.0.26 Rawhide/f32: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403302 F31: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403312 F30: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403309 Closing this bug as CURRENTRELEASE |