Fluid Attacks Database

Description

Exposure of class information in RESTEasy A flaw was found in RESTEasy in all current versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jboss.resteasy:resteasy-jaxrs	>=0 <3.11.5 \|\| >=3.15.0 <3.15.2 \|\| >=4.5.0 <4.5.10 \|\| >=4.6.0 <4.7.0	3.11.5.final, 3.15.2.final, 4.5.10.final, 4.7.0.final
maven	org.jboss.resteasy:resteasy-core	>=4.6.0 <4.6.1 \|\| >=4.0.0 <4.5.10 \|\| >=3.0.0 <3.16.0	4.6.1, 4.5.10, 3.16.0
maven	org.jboss.resteasy:resteasy-client	>=0 <3.11.5 \|\| >=3.15.0 <3.15.2 \|\| >=4.5.0 <4.5.10 \|\| >=4.6.0 <4.7.0	3.11.5.final, 3.15.2.final, 4.5.10.final, 4.7.0.final
rpm rhel7	resteasy-base	-	-
rpm rhel8	resteasy	-	-
rpm rhel9	resteasy	-	-

Aliases

1. CVE-2021-202892. NVD-2021-202893. OSV-2021-202894. GCVE-2021-20289

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=19359272. https://bugzilla.redhat.com/show_bug.cgi?id=19415443. https://issues.redhat.com/browse/RESTEASY-28434. https://security.netapp.com/advisory/ntap-20210528-00085. https://www.oracle.com/security-alerts/cpuapr2022.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.