Fluid Attacks Database

Description

Improper Input Validation in RESTEasy A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jboss.resteasy:resteasy-jaxrs-all	>=3.0.0 <3.12.0 \|\| >=4.0.0 <4.0.6	3.12.0.final
debian 14	resteasy3.0	>=0 <3.0.26-2	3.0.26-2
debian 11	resteasy3.0	>=0 <3.0.26-2	3.0.26-2
maven	org.jboss.resteasy:resteasy-client	>=4.0.0 <4.6.0 \|\| >=3.0.0 <3.12.0	4.6.0, 3.12.0
debian 13	resteasy3.0	>=0 <3.0.26-2	3.0.26-2
debian 12	resteasy3.0	>=0 <3.0.26-2	3.0.26-2
rpm rhel8	pki-core	<0:10.10.5-2.module+el8.4.0+10466+9830f79e	0:10.10.5-2.module+el8.4.0+10466+9830f79e
rpm rhel7	resteasy-base	-	-

Aliases

1. CVE-2020-16952. NVD-2020-16953. OSV-2020-16954. OSV-DEBIAN-2020-16955. GCVE-2020-16956. bugzilla.redhat.com7. SECURITY-TRACKER-CVE-2020-1695

References

1. https://github.com/dawetmaster/CVE-2020-1695-Resteasy-vulnerable2. https://github.com/resteasy/Resteasy/commit/88ba8537f2e8d465c7031d352bf9bb25526ce4753. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-16954. https://lists.fedoraproject.org/archives/list/[email protected]/message/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL5. https://lists.fedoraproject.org/archives/list/[email protected]/message/RX22C6I56BJUER76IIPYHGZIWBQIU3CQ