Bug#1015001: resteasy3.0: CVE-2020-10688
Moritz Mühlenhoff
jmm at inutil.org
Fri Jul 15 23:34:03 BST 2022
Source: resteasy3.0
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for resteasy3.0.
CVE-2020-10688[0]:
| A cross-site scripting (XSS) flaw was found in RESTEasy in versions
| before 3.11.1.Final and before 4.5.3.Final, where it did not properly
| handle URL encoding when the RESTEASY003870 exception occurs. An
| attacker could use this flaw to launch a reflected XSS attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1814974
https://github.com/quarkusio/quarkus/issues/7248
https://issues.redhat.com/browse/RESTEASY-2519 (restricted)
https://github.com/resteasy/Resteasy/pull/2320
https://github.com/resteasy/Resteasy/commit/3fe881cf945c06bdb16895fbc73bc620694d2ba7 (4.6.0.Final)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-10688
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10688
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list