Information disclosure in Resteasy

#VU56965 Information disclosure in Resteasy

Published: 2021-09-30

Vulnerability identifier: #VU56965

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-20289

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Resteasy
Other software / Other software solutions

Vendor: resteasy

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. A remote attacker can obtain endpoint class and method names.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Resteasy: 4.0.0.Final - 4.5.12.Final

CPE

cpe:2.3:a:resteasy:resteasy:4.5.12.Final:*:*:*:*:*:*:*

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1935927

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Integration Camel-K

Multiple vulnerabilities in Oracle Communications Cloud Native Core Console

Multiple vulnerabilities in Red Hat Single Sign-On

Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform

Multiple vulnerabilities in Red Hat AMQ Broker

Information disclosire in RESTEasy