Bug 1935927 (CVE-2021-20289)
| Summary: | CVE-2021-20289 resteasy: Error message exposes endpoint class information | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aboyko, ahenning, aileenc, akoufoud, alazarot, alee, alexander.m.scheel, almorale, anstephe, asoldano, atangrin, ataylor, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bkearney, bmaxwell, brian.stansberry, btotty, cdewolf, cfu, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dchen, dkreling, dosoudil, drieden, edewata, eleandro, eric.wittmann, etirelli, fjuma, ganandan, ggaughan, gmalinko, gsmet, gvarsami, hamadhan, hbraun, hhudgeon, ibek, ikanello, iweiss, janstey, java-sig-commits, jcoleman, jmagne, jnethert, jochrist, jolee, jpallich, jperkins, jrokos, jross, jschatte, jstastny, jwon, kaycoth, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, loleary, lthon, lzap, mkdineshprasanth, mmccune, mnovotny, msochure, msvehla, mszynkie, nmoumoul, nwallace, pantinor, pcreech, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, puntogil, rchan, rguimara, rhcs-maint, rjerrido, rrajasek, rruss, rsigal, rstancel, rsvoboda, rwagner, sbiarozk, sdouglas, security-response-team, sguilhen, smaestri, sokeeffe, sthorger, tcunning, theute, tkirby, tom.jenkinson, tzimanyi, weli, yborgess |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | resteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-09-30 12:21:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1936941, 1938279, 1941544, 1941545, 1941546 | ||
| Bug Blocks: | 1935929, 1939063, 1939790, 2014197 | ||
|
Description
Pedro Sampaio
2021-03-05 19:59:45 UTC
JFTR it doesn't look (from RESTEASY-2843) or the upstream repo that this CVE is fixed in 4.6.0.Final as mentioned in the Doc Text. It looks like it will be fixed in the upcoming release 4.7.0.Final. In reply to comment #8: > JFTR it doesn't look (from RESTEASY-2843) or the upstream repo that this CVE > is fixed in 4.6.0.Final as mentioned in the Doc Text. It looks like it will > be fixed in the upcoming release 4.7.0.Final. Thank you for pointing out it. We've fixed it. Thanks! Acknowledgments: Name: Dirk Papenberg (NTT DATA Germany) Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1941544] This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Data Grid 7 * Red Hat JBoss Operations Network 3 * Red Hat JBoss BPMS 6 * Red Hat JBoss BRMS 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat AMQ 7.9.0 Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20289 This issue has been addressed in the following products: Red Hat build of Quarkus 2.2.3 Via RHSA-2021:3880 https://access.redhat.com/errata/RHSA-2021:3880 This issue has been addressed in the following products: RHINT Service Registry 2.0.2 GA Via RHSA-2021:4100 https://access.redhat.com/errata/RHSA-2021:4100 This issue has been addressed in the following products: EAP 7.4.2 release Via RHSA-2021:4679 https://access.redhat.com/errata/RHSA-2021:4679 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2021:4676 https://access.redhat.com/errata/RHSA-2021:4676 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2021:4677 https://access.redhat.com/errata/RHSA-2021:4677 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:5150 https://access.redhat.com/errata/RHSA-2021:5150 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:5151 https://access.redhat.com/errata/RHSA-2021:5151 This issue has been addressed in the following products: EAP 7.3.10 GA Via RHSA-2021:5154 https://access.redhat.com/errata/RHSA-2021:5154 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:5149 https://access.redhat.com/errata/RHSA-2021:5149 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.10 Via RHSA-2021:5170 https://access.redhat.com/errata/RHSA-2021:5170 This issue has been addressed in the following products: Red Hat EAP-XP 2 via EAP 7.3.x base Via RHSA-2022:0146 https://access.redhat.com/errata/RHSA-2022:0146 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:0152 https://access.redhat.com/errata/RHSA-2022:0152 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:0151 https://access.redhat.com/errata/RHSA-2022:0151 This issue has been addressed in the following products: RHSSO 7.5.1 Via RHSA-2022:0155 https://access.redhat.com/errata/RHSA-2022:0155 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0164 https://access.redhat.com/errata/RHSA-2022:0164 This issue has been addressed in the following products: Red Hat Support for Spring Boot 2.5.10 Via RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179 This issue has been addressed in the following products: RHAF Camel-K 1.8 Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407 |