Bug 1879042 (CVE-2020-25633) - CVE-2020-25633 resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling
Summary: CVE-2020-25633 resteasy-client: potential sensitive information leakage in JA...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25633
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1914261 1914262 1914380
Blocks: 1877356 2014197
TreeView+ depends on / blocked
 
Reported: 2020-09-15 10:03 UTC by Ted Jongseok Won
Modified: 2021-12-14 18:47 UTC (History)
93 users (show)

Fixed In Version: resteasy 4.5.9.Final
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. This flaw allows client users to obtain the server's potentially sensitive information when the server receives the WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-01-25 16:46:50 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0246 0 None None None 2021-01-25 16:28:56 UTC
Red Hat Product Errata RHSA-2021:0247 0 None None None 2021-01-25 16:33:35 UTC
Red Hat Product Errata RHSA-2021:0248 0 None None None 2021-01-25 16:38:26 UTC
Red Hat Product Errata RHSA-2021:0250 0 None None None 2021-01-25 16:19:22 UTC
Red Hat Product Errata RHSA-2021:0295 0 None None None 2021-02-08 09:06:59 UTC
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:26:11 UTC

Description Ted Jongseok Won 2020-09-15 10:03:13 UTC
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information in headers, cookies and body when the server got WebApplicationException from the RESTEasy client call.

Comment 16 errata-xmlrpc 2021-01-25 16:19:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2021:0250 https://access.redhat.com/errata/RHSA-2021:0250

Comment 17 errata-xmlrpc 2021-01-25 16:28:52 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:0246 https://access.redhat.com/errata/RHSA-2021:0246

Comment 18 errata-xmlrpc 2021-01-25 16:33:30 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:0247 https://access.redhat.com/errata/RHSA-2021:0247

Comment 19 errata-xmlrpc 2021-01-25 16:38:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:0248 https://access.redhat.com/errata/RHSA-2021:0248

Comment 20 Product Security DevOps Team 2021-01-25 16:46:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25633

Comment 21 errata-xmlrpc 2021-02-08 09:06:46 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2021:0295 https://access.redhat.com/errata/RHSA-2021:0295

Comment 22 errata-xmlrpc 2021-03-29 11:12:58 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus

Via RHSA-2021:1004 https://access.redhat.com/errata/RHSA-2021:1004

Comment 23 errata-xmlrpc 2021-04-21 13:10:27 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.8 for RHEL 7

Via RHSA-2021:1313 https://access.redhat.com/errata/RHSA-2021:1313

Comment 24 errata-xmlrpc 2021-08-11 18:26:05 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140

Comment 25 Jonathan Christison 2021-09-20 14:54:28 UTC
Marking Red Hat Integration Service Registry as having a low impact, this is because although the vulnerable version of resteasy-client is shipped and used, its use in Service Registry is not susceptible to the vulnerability, this is because its use in the maven plugin it does not communicate with further upstream/backend services from a service context, that is to say the Service Registry service itself does not use the resteasy-client to call onto other services, this is a precondition of the vulnerability.


Note You need to log in before you can comment on or make changes to this bug.