cnvd - cnvd-2021-44711

cnvd-2021-44711

Vulnerability from cnvd

Title

Red Hat RESTEasy跨站脚本漏洞

Description

Red Hat Resteasy是美国红帽（Red Hat）公司的一款JAX-RS（一种Java编程语言API规范）实现。 Red Hat RESTEasy存在跨站脚本漏洞。攻击者可利用漏洞发起反射型XSS攻击。

Severity

中

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://www.redhat.com/en

Reference

https://access.redhat.com/security/cve/cve-2021-20293

Impacted products

Name
Red Hat Resteasy <4.6.0.Final

Show details on source website

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-20293"
    }
  },
  "description": "Red Hat Resteasy\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u6b3eJAX-RS\uff08\u4e00\u79cdJava\u7f16\u7a0b\u8bed\u8a00API\u89c4\u8303\uff09\u5b9e\u73b0\u3002\n\nRed Hat RESTEasy\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002 \u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u53d1\u8d77\u53cd\u5c04\u578bXSS\u653b\u51fb\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://www.redhat.com/en",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-44711",
  "openTime": "2021-06-24",
  "products": {
    "product": "Red Hat Resteasy \u003c4.6.0.Final"
  },
  "referenceLink": "https://access.redhat.com/security/cve/cve-2021-20293",
  "serverity": "\u4e2d",
  "submitTime": "2021-03-29",
  "title": "Red Hat RESTEasy\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2021-20293 (GCVE-0-2021-20293)

Vulnerability from cvelistv5

Published

2021-06-10 11:09

Modified

2024-08-03 17:37

Severity ?

CWE

CWE-79

Summary

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

References

URL

Tags

	https://bugzilla.redhat.com/show_bug.cgi?id=1942819	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20210727-0005/	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	RESTEasy	Version: All versions of RESTEasy up to 4.6.0.Final

Show details on NVD website

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T17:37:24.125Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1942819"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210727-0005/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "RESTEasy",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "All versions of RESTEasy up to 4.6.0.Final"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-27T15:06:33",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1942819"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210727-0005/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2021-20293",
    "datePublished": "2021-06-10T11:09:47",
    "dateReserved": "2020-12-17T00:00:00",
    "dateUpdated": "2024-08-03T17:37:24.125Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.