Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Redhat Subscribe
Filtered by product Resteasy
Total 18 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-0482 1 Redhat 1 Resteasy 2023-03-01 N/A 5.5 MEDIUM
In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.
CVE-2012-0818 1 Redhat 1 Resteasy 2023-02-12 5.0 MEDIUM N/A
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.
CVE-2020-14326 2 Netapp, Redhat 3 Oncommand Insight, Integration Camel K, Resteasy 2022-07-15 5.0 MEDIUM 7.5 HIGH
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.
CVE-2020-10688 1 Redhat 5 Enterprise Linux, Fuse, Jboss Enterprise Application Platform and 2 more 2022-05-13 4.3 MEDIUM 6.1 MEDIUM
A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
CVE-2020-25724 2 Quarkus, Redhat 2 Quarkus, Resteasy 2022-05-13 4.0 MEDIUM 4.3 MEDIUM
A flaw was found in RESTEasy, where an incorrect response to an HTTP request is provided. This flaw allows an attacker to gain access to privileged information. The highest threat from this vulnerability is to confidentiality and integrity. Versions before resteasy 2.0.0.Alpha3 are affected.
CVE-2021-20289 4 Netapp, Oracle, Quarkus and 1 more 4 Oncommand Insight, Communications Cloud Native Core Console, Quarkus and 1 more 2022-05-10 5.0 MEDIUM 5.3 MEDIUM
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
CVE-2020-1695 2 Fedoraproject, Redhat 2 Fedora, Resteasy 2022-01-01 5.0 MEDIUM 7.5 HIGH
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
CVE-2021-20293 2 Netapp, Redhat 2 Oncommand Insight, Resteasy 2021-09-20 4.3 MEDIUM 6.1 MEDIUM
A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.
CVE-2020-25633 2 Quarkus, Redhat 2 Quarkus, Resteasy 2021-04-08 5.0 MEDIUM 5.3 MEDIUM
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
CVE-2018-1051 1 Redhat 1 Resteasy 2019-10-09 6.8 MEDIUM 8.1 HIGH
It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.
CVE-2016-6346 1 Redhat 1 Resteasy 2019-05-14 5.0 MEDIUM 7.5 HIGH
RESTEasy enables GZIPInterceptor, which allows remote attackers to cause a denial of service via unspecified vectors.
CVE-2014-3490 1 Redhat 2 Jboss Enterprise Application Platform, Resteasy 2019-03-21 7.5 HIGH N/A
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.
CVE-2016-9606 1 Redhat 1 Resteasy 2018-10-12 6.8 MEDIUM 8.1 HIGH
JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.
CVE-2011-5245 1 Redhat 1 Resteasy 2017-08-28 5.0 MEDIUM N/A
The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.
CVE-2016-6347 1 Redhat 1 Resteasy 2017-04-25 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-6348 1 Redhat 1 Resteasy 2017-04-19 4.3 MEDIUM 6.1 MEDIUM
JacksonJsonpInterceptor in RESTEasy might allow remote attackers to conduct a cross-site script inclusion (XSSI) attack.
CVE-2016-6345 1 Redhat 1 Resteasy 2016-09-08 4.0 MEDIUM 6.5 MEDIUM
RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random values" in async jobs.
CVE-2014-7839 1 Redhat 1 Resteasy 2015-04-22 6.4 MEDIUM N/A
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.