PT-2016-3452 · Red Hat · Resteasy

Moritz Bechler

Published

2016-12-01

Updated

2022-05-14

CVE-2016-9606

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions RESTEasy versions prior to 3.1.2

Description The issue is related to insufficient input validation in the YamlProvider component, which could allow an attacker to execute arbitrary code with RESTEasy application permissions by forcing the application into parsing a request with YamlProvider, resulting in the unmarshalling of potentially untrusted data.

Recommendations For versions prior to 3.1.2, update to version 3.1.2 or later to resolve the issue. As a temporary workaround, consider disabling the YamlProvider component until a patch is available. Restrict access to the YamlProvider component to minimize the risk of exploitation.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

BDU:2024-01097

CVE-2016-9606

GHSA-HGJR-XWJ3-JFVW

OESA-2021-1073

RHSA-2017:1253

RHSA-2017:1254

RHSA-2017:1256

RHSA-2017:1260

RHSA-2017:1410

RHSA-2017:1411

RHSA-2017:1412

Affected Products

Resteasy

PT-2016-3452 · Red Hat · Resteasy

CVE-2016-9606

Weakness Enumeration

Related Identifiers

Affected Products

References · 30