Bug 1814974 (CVE-2020-10688)

Summary: CVE-2020-10688 RESTEasy: RESTEASY003870 exception in RESTEasy can lead to a reflected XSS attack
Product: [Other] Security Response Reporter: Ted Jongseok Won <jwon>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, ahenning, aileenc, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, carnil, cbyrne, cdewolf, chazlett, cmoulliard, crarobin, darran.lofthouse, dkreling, dosoudil, drieden, ggaughan, gmalinko, ikanello, iweiss, janstey, jawilson, jbalunas, jmadigan, jochrist, jpallich, jperkins, jwon, krathod, kwills, lgao, lthon, msochure, msvehla, mszynkie, ngough, nwallace, pgallagh, pjindal, pmackay, pskopek, psotirop, rguimara, rruss, rsvoboda, sguilhen, smaestri, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: resteasy 3.11.1.Final, resteasy 4.5.3.Final Doc Type: If docs needed, set a value
Doc Text:
A cross-site scripting (XSS) flaw was found in RESTEasy, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-28 17:20:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1811171    

Description Ted Jongseok Won 2020-03-19 08:13:25 UTC
It was found that RESTEasy did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.

* Upstream fix: https://github.com/resteasy/Resteasy/pull/2320/files

Comment 4 Jonathan Christison 2020-03-23 16:38:59 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 5 Salvatore Bonaccorso 2020-03-24 06:43:12 UTC
Is this issue reported upstream for resteasy, and is there any additional reference to it which you could reference here?

Thank you already!

Comment 8 Ted Jongseok Won 2020-03-26 02:15:00 UTC
In reply to comment #5:
> Is this issue reported upstream for resteasy, and is there any additional
> reference to it which you could reference here?
> 
> Thank you already!

Updated the related references to this BZ. Thanks!

Comment 16 errata-xmlrpc 2020-05-28 16:00:08 UTC
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333

Comment 17 Product Security DevOps Team 2020-05-28 17:20:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10688

Comment 18 errata-xmlrpc 2020-06-10 19:06:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511

Comment 19 errata-xmlrpc 2020-06-10 19:24:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515

Comment 20 errata-xmlrpc 2020-06-11 07:09:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513

Comment 21 errata-xmlrpc 2020-06-11 07:17:29 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512

Comment 22 errata-xmlrpc 2020-07-23 07:04:50 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2905 https://access.redhat.com/errata/RHSA-2020:2905

Comment 24 errata-xmlrpc 2020-09-23 16:27:20 UTC
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.2.6

Via RHSA-2020:3806 https://access.redhat.com/errata/RHSA-2020:3806

Comment 27 errata-xmlrpc 2021-08-11 18:22:57 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140