Fedora Account System
Red Hat Associate
Red Hat Customer
It was found that the default exception handler in RESTEasy did not properly validate user input. An attacker could use this flaw to launch a relected XSS attack.
Acknowledgments: Name: Mikhail Egorov (Odin)
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1372125]
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1471277]
Statement: This issue affects the versions of RESTEasy as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having a security impact of Moderate. Additionally Red Hat Satellite does not use the default ExceptionMapper, and the custom exception handler does not allow return type of text/html. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1590941]
The reported issue has been fixed by rebasing to resteasy 3.0.26 Rawhide/f32: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403302 F31: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403312 F30: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403309 Closing this bug as CURRENTRELEASE