The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of JBoss RESTEasy OpenSource

vulnerability CVE-2017-7561

JBoss RESTEasy: vulnerability via HTTP Vary Header

Synthesis of the vulnerability

A vulnerability via HTTP Vary Header of JBoss RESTEasy was announced.
Impacted products: RESTEasy JBoss OpenSource, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: data reading.
Provenance: internet server.
Creation date: 14/09/2017.
Identifiers: CVE-2017-7561, RESTEASY-1704, RHSA-2018:0002-01, RHSA-2018:0003-01, RHSA-2018:0004-01, RHSA-2018:0005-01, RHSA-2018:0478-01, RHSA-2018:0479-01, RHSA-2018:0480-01, RHSA-2018:0481-01, VIGILANCE-VUL-23840.

Description of the vulnerability

A vulnerability via HTTP Vary Header of JBoss RESTEasy was announced.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-6348

JBoss RESTEasy: Cross Site Scripting via JacksonJsonpInterceptor

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via JacksonJsonpInterceptor of JBoss RESTEasy, in order to run JavaScript code in the context of the web site.
Impacted products: RESTEasy JBoss OpenSource.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 13/04/2017.
Identifiers: 1372129, CVE-2016-6348, VIGILANCE-VUL-22455.

Description of the vulnerability

The JBoss RESTEasy product offers a web service.

However, it does not filter received data via JacksonJsonpInterceptor before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via JacksonJsonpInterceptor of JBoss RESTEasy, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-6345 CVE-2016-6346

JBoss RESTEasy: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of JBoss RESTEasy.
Impacted products: RESTEasy JBoss OpenSource, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/09/2016.
Identifiers: 1372117, 1372120, CVE-2016-6345, CVE-2016-6346, RHSA-2017:0517-01, RHSA-2017:0826-01, RHSA-2017:0827-01, RHSA-2017:0828-01, RHSA-2017:0829-01, RHSA-2017:1675-01, RHSA-2017:1676-01, RHSA-2018:0002-01, RHSA-2018:0003-01, RHSA-2018:0004-01, RHSA-2018:0005-01, VIGILANCE-VUL-20541.

Description of the vulnerability

Several vulnerabilities were announced in JBoss RESTEasy.

An attacker can bypass security features via Async Jobs, in order to obtain sensitive information. [severity:2/4; 1372117, CVE-2016-6345]

An attacker can trigger a fatal error via GZIPInterceptor, in order to trigger a denial of service. [severity:2/4; 1372120, CVE-2016-6346]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-3490

JBoss RESTEasy: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to JBoss RESTEasy, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Fedora, RESTEasy JBoss OpenSource, Oracle Communications, RHEL, JBoss EAP by Red Hat.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 27/04/2015.
Identifiers: 1107901, cpuoct2018, CVE-2014-3490, FEDORA-2014-16845, RHSA-2014:1011-01, RHSA-2014:1039-01, RHSA-2014:1040-01, RHSA-2014:1298-01, RHSA-2014:1904-01, RHSA-2015:0125-01, RHSA-2015:0234-01, RHSA-2015:0235-01, RHSA-2015:0675-01, RHSA-2015:0720-01, RHSA-2015:0765-01, RHSA-2015:1009, VIGILANCE-VUL-16714.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the JBoss RESTEasy parser allows external entities.

An attacker can therefore transmit malicious XML data to JBoss RESTEasy, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about JBoss RESTEasy OpenSource: