It was found that the default exception handler in RESTEasy did not properly validate user input. An attacker could use this flaw to launch a relected XSS attack.
Acknowledgments: Name: Mikhail Egorov (Odin)
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1372125]
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1471277]
Statement: This issue affects the versions of RESTEasy as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having a security impact of Moderate. Additionally Red Hat Satellite does not use the default ExceptionMapper, and the custom exception handler does not allow return type of text/html. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1590941]
The reported issue has been fixed by rebasing to resteasy 3.0.26 Rawhide/f32: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403302 F31: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403312 F30: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403309 Closing this bug as CURRENTRELEASE