[Bugs] [Bug 13306] New: [CVE 21] resteasy 3.0.19 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Май 3 17:02:20 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13306

          Platform: 2021.1
            Bug ID: 13306
           Summary: [CVE 21] resteasy 3.0.19  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2020-10688, CVE-2020-1695, CVE-2020-25633,
                    CVE-2023-0482,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package resteasy version 3.0.19

INFO (CVEs are): resteasy 3.0.19
 cves found
CVE-2020-10688
Desc: A cross-site scripting (XSS) flaw was found in RESTEasy in versions
before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle
URL encoding when the RESTEASY003870 exception occurs. An attacker could use
this flaw to launch a reflected XSS attack.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10688
Severity: MEDIUM
CVE-2020-1695
Desc: A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and
all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input
validation results in returning an illegal header that integrates into the
server's response. This flaw may result in an injection, which leads to
unexpected behavior when the HTTP response is constructed.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-1695
Severity: HIGH
CVE-2020-25633
Desc: A flaw was found in RESTEasy client in all versions of RESTEasy up to
4.5.6.Final. It may allow client users to obtain the server's potentially
sensitive information when the server got WebApplicationException from the
RESTEasy client call. The highest threat from this vulnerability is to data
confidentiality.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-25633
Severity: MEDIUM
CVE-2023-0482
Desc: In RESTEasy the insecure File.createTempFile() is used in the
DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates
temp files with insecure permissions that could be read by a local user.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0482
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/b8e23d84/attachment.html>

Подробная информация о списке рассылки Bugs