RESTEasy vulnerability (CVE-2021-20289)

Issue date: 06-07-2021
Affects versions: 14.5, 13.4, 12.6

Security Issue ID

SECURITY-225

Affected Product Version(s)

14.5.1, 12.6.15, 13.4.8 and previous releases.

Severity

medium

Description

CVE-2021-20289

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

CWE-209 Information Exposure Through an Error Message

CVSSv2:

Base Score: MEDIUM (5.0)
Vector: /AV:N/AC:L/Au:N/C/I:N/A:N

CVSSv3:

Base Score: MEDIUM (5.3)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Instructions

Customers using the 12.x, 13.x and 14.x major versions are recommended to upgrade to the latest version in that series.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

RESTEasy vulnerability (CVE-2021-20289)