Bug 1730462 (CVE-2020-1695) - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
Summary: CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHe...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1695
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1763052 1845547 1845548 1845570
Blocks: 1730463
TreeView+ depends on / blocked
 
Reported: 2019-07-16 19:22 UTC by Pedro Sampaio
Modified: 2021-12-14 18:47 UTC (History)
108 users (show)

Fixed In Version: resteasy 3.12.0.Final, resteasy 4.6.0.Final
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Resteasy, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
Clone Of:
Environment:
Last Closed: 2020-05-12 22:31:52 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2112 0 None None None 2020-05-12 17:17:13 UTC
Red Hat Product Errata RHSA-2020:2333 0 None None None 2020-05-28 15:58:51 UTC
Red Hat Product Errata RHSA-2020:2511 0 None None None 2020-06-10 19:05:35 UTC
Red Hat Product Errata RHSA-2020:2512 0 None None None 2020-06-11 07:16:50 UTC
Red Hat Product Errata RHSA-2020:2513 0 None None None 2020-06-11 07:08:24 UTC
Red Hat Product Errata RHSA-2020:2515 0 None None None 2020-06-10 19:23:50 UTC
Red Hat Product Errata RHSA-2020:2905 0 None None None 2020-07-23 07:04:08 UTC
Red Hat Product Errata RHSA-2020:3637 0 None None None 2020-09-07 12:55:54 UTC
Red Hat Product Errata RHSA-2020:3638 0 None None None 2020-09-07 13:01:59 UTC
Red Hat Product Errata RHSA-2020:3639 0 None None None 2020-09-07 12:58:52 UTC
Red Hat Product Errata RHSA-2020:3642 0 None None None 2020-09-07 13:06:09 UTC
Red Hat Product Errata RHSA-2020:3779 0 None None None 2020-09-17 13:08:06 UTC
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:22:17 UTC

Description Pedro Sampaio 2019-07-16 19:22:16 UTC
A flaw was found in resteasy before 4.1.1. An improper input validation in MediaTypeHeaderDelegate.java class results in the class returning an illegal header that will be then integrated in the server's response.

Comment 1 Pedro Sampaio 2019-08-07 14:48:19 UTC
Acknowledgments:

Name: Mirko Selber (Compass Security)

Comment 2 Jason Shepherd 2019-08-08 05:47:37 UTC
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 3 Joshua Padman 2019-08-12 02:28:07 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BPM Suite 6
 * Red Hat JBoss BPM Suite 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 18 errata-xmlrpc 2020-05-12 17:17:09 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign On 7.3.8

Via RHSA-2020:2112 https://access.redhat.com/errata/RHSA-2020:2112

Comment 19 Product Security DevOps Team 2020-05-12 22:31:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1695

Comment 20 errata-xmlrpc 2020-05-28 15:58:47 UTC
This issue has been addressed in the following products:

  EAP-CD 19 Tech Preview

Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333

Comment 22 Cedric Buissart 2020-06-09 13:44:50 UTC
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1845547]

Comment 28 errata-xmlrpc 2020-06-10 19:05:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511

Comment 29 errata-xmlrpc 2020-06-10 19:23:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515

Comment 30 errata-xmlrpc 2020-06-11 07:08:19 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513

Comment 31 errata-xmlrpc 2020-06-11 07:16:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512

Comment 32 errata-xmlrpc 2020-07-23 07:04:02 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2905 https://access.redhat.com/errata/RHSA-2020:2905

Comment 33 errata-xmlrpc 2020-09-07 12:55:47 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2020:3637 https://access.redhat.com/errata/RHSA-2020:3637

Comment 34 errata-xmlrpc 2020-09-07 12:58:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2020:3639 https://access.redhat.com/errata/RHSA-2020:3639

Comment 35 errata-xmlrpc 2020-09-07 13:01:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2020:3638 https://access.redhat.com/errata/RHSA-2020:3638

Comment 36 errata-xmlrpc 2020-09-07 13:06:01 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:3642 https://access.redhat.com/errata/RHSA-2020:3642

Comment 37 errata-xmlrpc 2020-09-17 13:07:59 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.7

Via RHSA-2020:3779 https://access.redhat.com/errata/RHSA-2020:3779

Comment 40 errata-xmlrpc 2021-05-18 14:57:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1775 https://access.redhat.com/errata/RHSA-2021:1775

Comment 41 errata-xmlrpc 2021-08-11 18:22:13 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140


Note You need to log in before you can comment on or make changes to this bug.