1942819 – (CVE-2021-20293) CVE-2021-20293 RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack

Bug 1942819 (CVE-2021-20293) - CVE-2021-20293 RESTEasy: PathParam in RESTEasy can lead to a reflected XSS attack

Summary: CVE-2021-20293 RESTEasy: PathParam in RESTEasy can lead to a reflected XSS at...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-20293
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Red Hat1943648 Red Hat1945667 Red Hat1945668 Red Hat1945669
Blocks:	Embargoed1941409
TreeView+	depends on / blocked

Reported:	2021-03-25 04:50 UTC by Ted Jongseok Won
Modified:	2023-02-20 00:58 UTC (History)
CC List:	84 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.
Clone Of:
Environment:
Last Closed:	2021-09-06 14:54:57 UTC

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4100	0	None	None	None	2021-11-02 12:42:51 UTC
Red Hat Product Errata	RHSA-2022:1029	0	None	None	None	2022-03-23 08:22:41 UTC

Description Ted Jongseok Won 2021-03-25 04:50:24 UTC

A cross-site scripting (XSS) flaw was found in RESTEasy, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. An attacker could use this flaw to launch a reflected XSS attack.

Comment 1 Ted Jongseok Won 2021-03-25 04:50:32 UTC

Acknowledgments:

Name: Jeremy Bonghwan Choi (Red Hat), Ted Jongseok Won (Red Hat)

Comment 24 errata-xmlrpc 2021-11-02 12:42:47 UTC

This issue has been addressed in the following products:

  RHINT Service Registry 2.0.2 GA

Via RHSA-2021:4100 https://access.redhat.com/errata/RHSA-2021:4100

Comment 25 errata-xmlrpc 2022-03-23 08:22:37 UTC

This issue has been addressed in the following products:

  RHINT Camel-K 1.6.4

Via RHSA-2022:1029 https://access.redhat.com/errata/RHSA-2022:1029

Note You need to log in before you can comment on or make changes to this bug.

aboyko
aileenc
alee
alexander.m.scheel
asoldano
atangrin
avibelli
bbaranow
bbuckingham
bcourt
bgeorges
bibryam
bkearney
bmaxwell
brian.stansberry
btotty
cdewolf
cfu
chazlett
clement.escoffier
cmoulliard
dandread
darran.lofthouse
dchen
dkreling
dosoudil
drieden
edewata
eleandro
eric.wittmann
fjuma
ggaughan
gmalinko
gsmet
hamadhan
hbraun
hhudgeon
ikanello
iweiss
janstey
java-sig-commits
jmagne
jnethert
jochrist
jpallich
jperkins
jwon
kaycoth
krathod
kwills
lgao
lthon
lzap
mkdineshprasanth
mmccune
msochure
msvehla
mszynkie
nmoumoul
nwallace
pantinor
pcreech
pdrozd
peholase
pgallagh
pjindal
pmackay
probinso
puntogil
rchan
rguimara
rhcs-maint
rjerrido
rruss
rstancel
rsvoboda
sbiarozk
sdouglas
smaestri
sokeeffe
sthorger
tom.jenkinson
weli
yborgess