Filtered by vendor Redhat Subscriptions
Filtered by product Resteasy Subscriptions
Total 18 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2016-9606 1 Redhat 4 Jboss Bpms, Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform and 1 more 2024-09-16 N/A
JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.
CVE-2011-5245 1 Redhat 9 Jboss Bpms, Jboss Brms, Jboss Enterprise Application Platform and 6 more 2024-08-07 N/A
The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.
CVE-2012-0818 1 Redhat 10 Jboss Bpms, Jboss Brms, Jboss Enterprise Application Platform and 7 more 2024-08-06 N/A
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
CVE-2014-7839 1 Redhat 7 Jboss Bpms, Jboss Brms, Jboss Data Grid and 4 more 2024-08-06 N/A
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.
CVE-2014-3490 1 Redhat 11 Enterprise Linux, Jboss Bpms, Jboss Brms and 8 more 2024-08-06 N/A
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.
CVE-2016-6346 1 Redhat 6 Jboss Bpms, Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform and 3 more 2024-08-06 N/A
RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors.
CVE-2016-6348 1 Redhat 1 Resteasy 2024-08-06 N/A
JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.
CVE-2016-6345 1 Redhat 1 Resteasy 2024-08-06 N/A
RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random values" in async jobs.
CVE-2016-6347 1 Redhat 1 Resteasy 2024-08-06 N/A
Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2018-1051 1 Redhat 1 Resteasy 2024-08-05 N/A
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.
CVE-2020-25724 2 Quarkus, Redhat 3 Quarkus, Openshift Application Runtimes, Resteasy 2024-08-04 4.3 Medium
A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.
CVE-2020-25633 2 Quarkus, Redhat 7 Quarkus, Jboss Enterprise Application Platform, Jboss Fuse and 4 more 2024-08-04 5.3 Medium
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
CVE-2020-14326 2 Netapp, Redhat 7 Oncommand Insight, Camel Quarkus, Integration and 4 more 2024-08-04 7.5 High
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.
CVE-2020-10688 1 Redhat 7 Enterprise Linux, Fuse, Jboss Enterprise Application Platform and 4 more 2024-08-04 6.1 Medium
A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
CVE-2020-1695 2 Fedoraproject, Redhat 9 Fedora, Enterprise Linux, Jboss Data Grid and 6 more 2024-08-04 7.5 High
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
CVE-2021-20293 2 Netapp, Redhat 3 Oncommand Insight, Integration, Resteasy 2024-08-03 6.1 Medium
A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2021-20289 4 Netapp, Oracle, Quarkus and 1 more 12 Oncommand Insight, Communications Cloud Native Core Console, Quarkus and 9 more 2024-08-03 5.3 Medium
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
CVE-2023-0482 1 Redhat 7 Amq Broker, Amq Streams, Jboss Enterprise Application Platform and 4 more 2024-08-02 5.5 Medium
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.