Fluid Attacks Database

Description

Cross-site scripting in RESTEasy A cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jboss.resteasy:resteasy-core	>=0 <3.11.1.final \|\| >=4.0.0 <4.5.3.final	3.11.1.final, 4.5.3.final
debian 14	resteasy3.0	>=0 <3.0.26-4	3.0.26-4
maven	org.jboss.resteasy:resteasy-bom	>=0 <3.11.1.final \|\| >=4.0.0 <4.5.3.final	3.11.1.final, 4.5.3.final
debian 13	resteasy3.0	>=0 <3.0.26-4	3.0.26-4
debian 12	resteasy3.0	>=0 <3.0.26-4	3.0.26-4
debian 11	resteasy3.0	=3.0.26-2 \|\| =3.0.26-3 \|\| =3.0.26-4 \|\| =3.0.26-5 \|\| =3.0.26-6	-
maven	org.jboss.resteasy:resteasy-jaxrs	>=0 <3.11.1 \|\| >=4.5.0 <4.5.3	3.11.1.final, 4.5.3

Aliases

1. CVE-2020-106882. NVD-2020-106883. OSV-2020-106884. OSV-DEBIAN-2020-106885. GCVE-2020-106886. SECURITY-TRACKER-CVE-2020-10688

References

1. https://github.com/quarkusio/quarkus/issues/72482. https://bugzilla.redhat.com/show_bug.cgi?id=18149743. https://issues.redhat.com/browse/RESTEASY-25194. https://security.netapp.com/advisory/ntap-20210706-0008