Bug 1730462 (CVE-2020-1695)
| Summary: | CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, ahenning, aileenc, akoufoud, alazarot, alee, almorale, anstephe, ascheel, asoldano, atangrin, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, brian.stansberry, bspyrkos, btotty, cbuissar, cbyrne, cdewolf, chazlett, cmacedo, darran.lofthouse, dffrench, dingyichen, dkreling, dmoluguw, dosoudil, drieden, drusso, edewata, etirelli, ggaughan, gmalinko, gvarsami, hhudgeon, ibek, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jcoleman, jmadigan, jochrist, jolee, jpallich, jperkins, jschatte, jshepherd, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, lpetrovi, lthon, lzap, mhulan, mmccune, mnovotny, msochure, msvehla, mszynkie, ngough, nmoumoul, nwallace, padamec, paradhya, pdrozd, pgallagh, pjindal, pmackay, pskopek, psotirop, puntogil, pwright, rchan, rguimara, rhcs-maint, rjerrido, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sdaley, security-response-team, sguilhen, smaestri, sokeeffe, stewardship-sig, sthorger, tcunning, tkirby, tom.jenkinson, trepel, twalsh, vhalbert, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | resteasy 3.12.0.Final, resteasy 4.6.0.Final | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Resteasy, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-05-12 22:31:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1763052, 1845547, 1845548, 1845570 | ||
| Bug Blocks: | 1730463 | ||
|
Description
Pedro Sampaio
2019-07-16 19:22:16 UTC
Acknowledgments: Name: Mirko Selber (Compass Security) This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details This vulnerability is out of security support scope for the following products: * Red Hat JBoss BPM Suite 6 * Red Hat JBoss BPM Suite 6 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat Enterprise Application Platform 5 * Red Hat Enterprise Application Platform 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat Single Sign On 7.3.8 Via RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2112 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1695 This issue has been addressed in the following products: EAP-CD 19 Tech Preview Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333 Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1845547] This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2905 https://access.redhat.com/errata/RHSA-2020:2905 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:3637 https://access.redhat.com/errata/RHSA-2020:3637 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:3639 https://access.redhat.com/errata/RHSA-2020:3639 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:3638 https://access.redhat.com/errata/RHSA-2020:3638 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:3642 https://access.redhat.com/errata/RHSA-2020:3642 This issue has been addressed in the following products: Red Hat Data Grid 7.3.7 Via RHSA-2020:3779 https://access.redhat.com/errata/RHSA-2020:3779 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1775 https://access.redhat.com/errata/RHSA-2021:1775 This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140 |