#VU56965 Information disclosure in Resteasy - CVE-2021-20289


Vulnerability identifier: #VU56965

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-20289

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Resteasy
Other software / Other software solutions

Vendor: resteasy

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. A remote attacker can obtain endpoint class and method names.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Resteasy: 4.0.0.Final - 4.5.12.Final

External links
https://bugzilla.redhat.com/show_bug.cgi?id=1935927

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Red Hat Integration Camel-K
Multiple vulnerabilities in Oracle Communications Cloud Native Core Console
Multiple vulnerabilities in Red Hat Single Sign-On
Multiple vulnerabilities in Red Hat Single Sign-On 7.4
Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform
Multiple vulnerabilities in Red Hat AMQ Broker
Information disclosire in RESTEasy
openEuler 20.03 LTS SP1 update for resteasy