Bug 1935927 (CVE-2021-20289) - CVE-2021-20289 resteasy: Error message exposes endpoint class information
Summary: CVE-2021-20289 resteasy: Error message exposes endpoint class information
Keywords:
Status: NEW
Alias: CVE-2021-20289
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1936941 1938279 1941545 1941546 1941544
Blocks: 1939790 1935929 1939063
TreeView+ depends on / blocked
 
Reported: 2021-03-05 19:59 UTC by Pedro Sampaio
Modified: 2021-05-16 16:31 UTC (History)
60 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-03-05 19:59:45 UTC
A flaw was found in resteasy. The endpoint class and method names are returned as part of the exception response when Resteasy can not convert one of the request URI path/query/matrix parameters to a value expected by a given class resource/method method parameter.

References:

https://issues.redhat.com/browse/RESTEASY-2843

Comment 8 Alexander Scheel 2021-03-16 23:20:09 UTC
JFTR it doesn't look (from RESTEASY-2843) or the upstream repo that this CVE is fixed in 4.6.0.Final as mentioned in the Doc Text. It looks like it will be fixed in the upcoming release 4.7.0.Final.

Comment 9 Ted (Jong Seok) Won 2021-03-17 04:50:03 UTC
In reply to comment #8:
> JFTR it doesn't look (from RESTEASY-2843) or the upstream repo that this CVE
> is fixed in 4.6.0.Final as mentioned in the Doc Text. It looks like it will
> be fixed in the upcoming release 4.7.0.Final.

Thank you for pointing out it. We've fixed it. Thanks!

Comment 10 Ted (Jong Seok) Won 2021-03-22 04:09:51 UTC
Acknowledgments:

Name: Dirk Papenberg (NTT DATA Germany)

Comment 11 Riccardo Schirone 2021-03-22 10:53:03 UTC
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1941544]


Note You need to log in before you can comment on or make changes to this bug.