CVE-2021-20289 - Vulnerability Details

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Netapp	Oncommand Insight
Oracle	Communications Cloud Native Core Console
Quarkus	Quarkus
Redhat	Amq Broker Camel Quarkus Integration Jboss Enterprise Application Platform Jbosseapxp Openshift Application Runtimes Red Hat Single Sign On Resteasy Rhosemc

Configuration 1 [-]

cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*

Configuration 4 [-]

cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
EAP 7.3.10 GA
resteasy-jaxrs	cpe:/a:redhat:jboss_enterprise_application_platform:7.3	RHSA-2021:5154	2021-12-15T00:00:00Z
EAP 7.4.2 release
	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2021:4679	2021-11-15T00:00:00Z
Red Hat AMQ 7.9.0
resteasy-jaxrs	cpe:/a:redhat:amq_broker:7	RHSA-2021:3700	2021-09-30T00:00:00Z
Red Hat build of Quarkus 2.2.3
resteasy-core	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2021:3880	2021-10-20T00:00:00Z
Red Hat EAP-XP 2 via EAP 7.3.x base
resteasy-jaxrs	cpe:/a:redhat:jbosseapxp	RHSA-2022:0146	2022-01-17T00:00:00Z
Red Hat Integration Camel Quarkus 2
resteasy-core	cpe:/a:redhat:camel_quarkus:2.2	RHSA-2021:4767	2021-11-23T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6
eap7-apache-cxf-0:3.3.12-1.redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-ironjacamar-0:1.5.3-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-jakarta-el-0:3.0.3-3.redhat_00007.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-jboss-ejb-client-0:4.0.43-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-10.Final_redhat_00011.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-jsoup-0:1.14.2-1.redhat_00002.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-resteasy-0:3.11.5-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-undertow-0:2.0.41-1.SP1_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-wildfly-0:7.3.10-2.GA_redhat_00003.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-wildfly-elytron-0:1.10.15-1.Final_redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-wss4j-0:2.2.7-1.redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
eap7-xml-security-0:2.1.7-1.redhat_00001.1.el6eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6	RHSA-2021:5149	2021-12-15T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7
eap7-apache-cxf-0:3.3.12-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-ironjacamar-0:1.5.3-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-jakarta-el-0:3.0.3-3.redhat_00007.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-jboss-ejb-client-0:4.0.43-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-10.Final_redhat_00011.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-jsoup-0:1.14.2-1.redhat_00002.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-resteasy-0:3.11.5-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-undertow-0:2.0.41-1.SP1_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-wildfly-0:7.3.10-2.GA_redhat_00003.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-wildfly-elytron-0:1.10.15-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-wss4j-0:2.2.7-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
eap7-xml-security-0:2.1.7-1.redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7	RHSA-2021:5150	2021-12-15T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8
eap7-apache-cxf-0:3.3.12-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-ironjacamar-0:1.5.3-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-jakarta-el-0:3.0.3-3.redhat_00007.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-jboss-ejb-client-0:4.0.43-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-jboss-server-migration-0:1.7.2-10.Final_redhat_00011.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-jsoup-0:1.14.2-1.redhat_00002.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-resteasy-0:3.11.5-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-undertow-0:2.0.41-1.SP1_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-wildfly-0:7.3.10-2.GA_redhat_00003.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-wildfly-elytron-0:1.10.15-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-wss4j-0:2.2.7-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
eap7-xml-security-0:2.1.7-1.redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8	RHSA-2021:5151	2021-12-15T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-resteasy-0:3.15.2-1.Final_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2021:4677	2021-11-15T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-resteasy-0:3.15.2-1.Final_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2021:4676	2021-11-15T00:00:00Z
Red Hat Single Sign-On 7.4.10
resteasy-jaxrs	cpe:/a:redhat:red_hat_single_sign_on:7	RHSA-2021:5170	2021-12-15T00:00:00Z
Red Hat Single Sign-On 7.5 for RHEL 7
rh-sso7-keycloak-0:15.0.4-1.redhat_00001.1.el7sso	cpe:/a:redhat:red_hat_single_sign_on:7.5::el7	RHSA-2022:0151	2022-01-17T00:00:00Z
Red Hat Single Sign-On 7.5 for RHEL 8
rh-sso7-keycloak-0:15.0.4-1.redhat_00001.1.el8sso	cpe:/a:redhat:red_hat_single_sign_on:7.5::el8	RHSA-2022:0152	2022-01-17T00:00:00Z
Red Hat Support for Spring Boot 2.5.10
resteasy-jaxrs	cpe:/a:redhat:openshift_application_runtimes:1.0	RHSA-2022:1179	2022-04-12T00:00:00Z
RHAF Camel-K 1.8
resteasy-core	cpe:/a:redhat:integration:1	RHSA-2022:6407	2022-09-09T00:00:00Z
RHEL-8 based Middleware Containers
rh-sso-7/sso75-openshift-rhel8:7.5-15	cpe:/a:redhat:rhosemc:1.0::el8	RHSA-2022:0164	2022-01-18T00:00:00Z
RHINT Service Registry 2.0.2 GA
resteasy-core	cpe:/a:redhat:integration:1	RHSA-2021:4100	2021-11-02T00:00:00Z
RHSSO 7.5.1
	cpe:/a:redhat:red_hat_single_sign_on:7	RHSA-2022:0155	2022-01-17T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1935927
https://nvd.nist.gov/vuln/detail/CVE-2021-20289
https://www.cve.org/CVERecord?id=CVE-2021-20289
https://www.oracle.com/security-alerts/cpuapr2022.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2021-03-26T16:28:44

Updated: 2024-08-03T17:37:23.769Z

Reserved: 2020-12-17T00:00:00

Link: CVE-2021-20289

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-26T17:15:13.217

Modified: 2024-11-21T05:46:17.387

Link: CVE-2021-20289

Redhat

Severity : Low

Publid Date: 2021-03-03T00:00:00Z

Links: CVE-2021-20289 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "resteasy", "vendor": "n/a", "versions": [{"status": "affected", "version": "resteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-19T23:23:45", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2021-20289", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "resteasy", "version": {"version_data": [{"version_value": "resteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:37:23.769Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2021-20289", "datePublished": "2021-03-26T16:28:44", "dateReserved": "2020-12-17T00:00:00", "dateUpdated": "2024-08-03T17:37:23.769Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*", "matchCriteriaId": "EDB9A229-3B62-487E-B31D-580445DAFE8D", "versionEndIncluding": "4.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D115261-69F8-4854-B5DE-656858132B62", "versionEndExcluding": "1.13.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DAAB7154-4DE8-4806-86D0-C1D33B84417B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality."}, {"lang": "es", "value": "Se detect\u00f3 un fallo en RESTEasy en todas las versiones de RESTEasy hasta 4.6.0.Final. Los nombres de m\u00e9todos y clases de endpoint son devueltos como parte de la respuesta de excepci\u00f3n cuando RESTEasy no puede convertir uno de los valores de consulta o ruta del URI de petici\u00f3n a el valor del par\u00e1metro de m\u00e9todo del recurso JAX-RS correspondiente. La mayor amenaza de esta vulnerabilidad es la confidencialidad de los datos."}], "id": "CVE-2021-20289", "lastModified": "2024-11-21T05:46:17.387", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-26T17:15:13.217", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"}, {"source": "secalert@redhat.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Dirk Papenberg (NTT DATA Germany) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:5154", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3", "package": "resteasy-jaxrs", "product_name": "EAP 7.3.10 GA", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:4679", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "product_name": "EAP 7.4.2 release", "release_date": "2021-11-15T00:00:00Z"}, {"advisory": "RHSA-2021:3700", "cpe": "cpe:/a:redhat:amq_broker:7", "package": "resteasy-jaxrs", "product_name": "Red Hat AMQ 7.9.0", "release_date": "2021-09-30T00:00:00Z"}, {"advisory": "RHSA-2021:3880", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "resteasy-core", "product_name": "Red Hat build of Quarkus 2.2.3", "release_date": "2021-10-20T00:00:00Z"}, {"advisory": "RHSA-2022:0146", "cpe": "cpe:/a:redhat:jbosseapxp", "package": "resteasy-jaxrs", "product_name": "Red Hat EAP-XP 2 via EAP 7.3.x base", "release_date": "2022-01-17T00:00:00Z"}, {"advisory": "RHSA-2021:4767", "cpe": "cpe:/a:redhat:camel_quarkus:2.2", "impact": "low", "package": "resteasy-core", "product_name": "Red Hat Integration Camel Quarkus 2", "release_date": "2021-11-23T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-apache-cxf-0:3.3.12-1.redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-ironjacamar-0:1.5.3-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jakarta-el-0:3.0.3-3.redhat_00007.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jboss-ejb-client-0:4.0.43-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jboss-server-migration-0:1.7.2-10.Final_redhat_00011.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-jsoup-0:1.14.2-1.redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-resteasy-0:3.11.5-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-undertow-0:2.0.41-1.SP1_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-wildfly-0:7.3.10-2.GA_redhat_00003.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-wildfly-elytron-0:1.10.15-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-wss4j-0:2.2.7-1.redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5149", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el6", "package": "eap7-xml-security-0:2.1.7-1.redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-apache-cxf-0:3.3.12-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-ironjacamar-0:1.5.3-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jakarta-el-0:3.0.3-3.redhat_00007.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jboss-ejb-client-0:4.0.43-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jboss-server-migration-0:1.7.2-10.Final_redhat_00011.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-jsoup-0:1.14.2-1.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-resteasy-0:3.11.5-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-undertow-0:2.0.41-1.SP1_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-wildfly-0:7.3.10-2.GA_redhat_00003.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-wildfly-elytron-0:1.10.15-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-wss4j-0:2.2.7-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5150", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el7", "package": "eap7-xml-security-0:2.1.7-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-apache-cxf-0:3.3.12-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-ironjacamar-0:1.5.3-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jakarta-el-0:3.0.3-3.redhat_00007.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jboss-ejb-client-0:4.0.43-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jboss-server-migration-0:1.7.2-10.Final_redhat_00011.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-jsoup-0:1.14.2-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-resteasy-0:3.11.5-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-undertow-0:2.0.41-1.SP1_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-wildfly-0:7.3.10-2.GA_redhat_00003.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-wildfly-elytron-0:1.10.15-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-wss4j-0:2.2.7-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:5151", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.3::el8", "package": "eap7-xml-security-0:2.1.7-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2021:4677", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-resteasy-0:3.15.2-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2021-11-15T00:00:00Z"}, {"advisory": "RHSA-2021:4676", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-resteasy-0:3.15.2-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2021-11-15T00:00:00Z"}, {"advisory": "RHSA-2021:5170", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "package": "resteasy-jaxrs", "product_name": "Red Hat Single Sign-On 7.4.10", "release_date": "2021-12-15T00:00:00Z"}, {"advisory": "RHSA-2022:0151", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el7", "package": "rh-sso7-keycloak-0:15.0.4-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.5 for RHEL 7", "release_date": "2022-01-17T00:00:00Z"}, {"advisory": "RHSA-2022:0152", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.5::el8", "package": "rh-sso7-keycloak-0:15.0.4-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.5 for RHEL 8", "release_date": "2022-01-17T00:00:00Z"}, {"advisory": "RHSA-2022:1179", "cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "package": "resteasy-jaxrs", "product_name": "Red Hat Support for Spring Boot 2.5.10", "release_date": "2022-04-12T00:00:00Z"}, {"advisory": "RHSA-2022:6407", "cpe": "cpe:/a:redhat:integration:1", "package": "resteasy-core", "product_name": "RHAF Camel-K 1.8", "release_date": "2022-09-09T00:00:00Z"}, {"advisory": "RHSA-2022:0164", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso75-openshift-rhel8:7.5-15", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2022-01-18T00:00:00Z"}, {"advisory": "RHSA-2021:4100", "cpe": "cpe:/a:redhat:integration:1", "package": "resteasy-core", "product_name": "RHINT Service Registry 2.0.2 GA", "release_date": "2021-11-02T00:00:00Z"}, {"advisory": "RHSA-2022:0155", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "product_name": "RHSSO 7.5.1", "release_date": "2022-01-17T00:00:00Z"}], "bugzilla": {"description": "resteasy: Error message exposes endpoint class information", "id": "1935927", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1935927"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-209", "details": ["A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.", "A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality."], "name": "CVE-2021-20289", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform", "fix_state": "Out of support scope", "package_name": "resteasy-jaxrs", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Fix deferred", "package_name": "resteasy-jaxrs", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "resteasy-jaxrs", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "resteasy-base", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/resteasy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "resteasy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "resteasy-core", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Affected", "package_name": "resteasy-core", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Out of support scope", "package_name": "resteasy-jaxrs", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Out of support scope", "package_name": "resteasy-jaxrs", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "resteasy-jaxrs", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "resteasy-jaxrs", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "resteasy-jaxrs", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "resteasy-jaxrs", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "resteasy-jaxrs", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Out of support scope", "package_name": "resteasy-jaxrs", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Out of support scope", "package_name": "resteasy-jaxrs", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "resteasy-jaxrs", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Fix deferred", "package_name": "candlepin", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "resteasy-jaxrs", "product_name": "Red Hat support for Spring Boot"}], "public_date": "2021-03-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-20289\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20289"], "threat_severity": "Low"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object