<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - [CVE 21] resteasy 3.0.19 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13306">13306</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CVE 21] resteasy 3.0.19 CVEs found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>ROSA Fresh
</td>
</tr>
<tr>
<th>Version</th>
<td>All
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>URL</th>
<td>CVE-2020-10688, CVE-2020-1695, CVE-2020-25633, CVE-2023-0482,
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>CC</th>
<td>s.matveev@rosalinux.ru, y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Flags</th>
<td>secteam_verified?
</td>
</tr></table>
<p>
<div>
<pre>Please patch CVEs for package resteasy version 3.0.19
INFO (CVEs are): resteasy 3.0.19
cves found
CVE-2020-10688
Desc: A cross-site scripting (XSS) flaw was found in RESTEasy in versions
before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle
URL encoding when the RESTEASY003870 exception occurs. An attacker could use
this flaw to launch a reflected XSS attack.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-10688">https://nvd.nist.gov/vuln/detail/CVE-2020-10688</a>
Severity: MEDIUM
CVE-2020-1695
Desc: A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and
all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input
validation results in returning an illegal header that integrates into the
server's response. This flaw may result in an injection, which leads to
unexpected behavior when the HTTP response is constructed.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-1695">https://nvd.nist.gov/vuln/detail/CVE-2020-1695</a>
Severity: HIGH
CVE-2020-25633
Desc: A flaw was found in RESTEasy client in all versions of RESTEasy up to
4.5.6.Final. It may allow client users to obtain the server's potentially
sensitive information when the server got WebApplicationException from the
RESTEasy client call. The highest threat from this vulnerability is to data
confidentiality.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-25633">https://nvd.nist.gov/vuln/detail/CVE-2020-25633</a>
Severity: MEDIUM
CVE-2023-0482
Desc: In RESTEasy the insecure File.createTempFile() is used in the
DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates
temp files with insecure permissions that could be read by a local user.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-0482">https://nvd.nist.gov/vuln/detail/CVE-2023-0482</a>
Severity: MEDIUM</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>