CVE-2021-20289

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions RESTEasy versions up to 4.6.0.Final

Description A flaw was found in RESTEasy where the endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. This poses a threat to data confidentiality.

Recommendations For versions up to 4.6.0.Final, consider updating to a version later than 4.6.0.Final to resolve the issue. As a temporary workaround, consider restricting access to sensitive information that could be exposed through the exception response.

Fix

Generation of Error Message Containing Sensitive Information

Exposure of Resource to Wrong Sphere

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-209CWE-668CWE-200

Related Identifiers

BDU:2022-02827

CVE-2021-20289

GHSA-244R-FCJ3-GHJQ

OESA-2021-1171

RHSA-2021:4676

RHSA-2021:4677

RHSA-2021:5149

RHSA-2021:5150

RHSA-2021:5151

RHSA-2022:0151

RHSA-2022:0152

USN-7351-1

USN-7630-1

Affected Products

Linuxmint

Resteasy

Red Os

Ubuntu

CVE-2021-20289

Weakness Enumeration

Related Identifiers

Affected Products

References · 32