org.jboss.resteasy:resteasy-core 4.1.1.Final vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.jboss.resteasy:resteasy-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Creation of Temporary File With Insecure Permissions org.jboss.resteasy:resteasy-core is a JBoss.org project aimed at providing productivity frameworks for developing client and server RESTful applications and services in Java. Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions such that the insecure `File.createTempFile()` which is used in the `DataSourceProvider`, `FileProvider` and `Mime4JWorkaround` classes creates temp files with insecure permissions that could be read by a local user. How to fix Creation of Temporary File With Insecure Permissions? Upgrade `org.jboss.resteasy:resteasy-core` to version 4.7.8.Final or higher.	[0,4.7.8.Final)
M Cross-site Scripting (XSS) org.jboss.resteasy:resteasy-core is a JBoss.org project aimed at providing productivity frameworks for developing client and server RESTful applications and services in Java. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Does not properly handle URL encoding when calling `@javax.ws.rs.PathParam` without any `@Produces` `MediaType`. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity. How to fix Cross-site Scripting (XSS)? Upgrade `org.jboss.resteasy:resteasy-core` to version 4.6.0.Final or higher.	[,4.6.0.Final)
H Denial of Service (DoS) org.jboss.resteasy:resteasy-core is a JBoss.org project aimed at providing productivity frameworks for developing client and server RESTful applications and services in Java. Affected versions of this package are vulnerable to Denial of Service (DoS). A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service. How to fix Denial of Service (DoS)? Upgrade `org.jboss.resteasy:resteasy-core` to version 4.5.6.Final or higher.	[,4.5.6.Final)
M Information Exposure org.jboss.resteasy:resteasy-core is a JBoss.org project aimed at providing productivity frameworks for developing client and server RESTful applications and services in Java. Affected versions of this package are vulnerable to Information Exposure. The endpoint class and method names are returned as part of the exception response when `Resteasy` cannot convert one of the request URI `path` / `query` / `matrix` parameters to a value expected by a given class `resource`/`method` method parameter. How to fix Information Exposure? Upgrade `org.jboss.resteasy:resteasy-core` to version 4.6.1, 4.5.10, 3.16.0 or higher.	[4.6.0,4.6.1)[4.0.0,4.5.10)[3.0.0,3.16.0)

Vulnerability

Vulnerable Version

Creation of Temporary File With Insecure Permissions

org.jboss.resteasy:resteasy-core is a JBoss.org project aimed at providing productivity frameworks for developing client and server RESTful applications and services in Java.

Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions such that the insecure File.createTempFile() which is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes creates temp files with insecure permissions that could be read by a local user.

How to fix Creation of Temporary File With Insecure Permissions?

Upgrade org.jboss.resteasy:resteasy-core to version 4.7.8.Final or higher.

[0,4.7.8.Final)

Cross-site Scripting (XSS)

org.jboss.resteasy:resteasy-core is a JBoss.org project aimed at providing productivity frameworks for developing client and server RESTful applications and services in Java.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Does not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

How to fix Cross-site Scripting (XSS)?

Upgrade org.jboss.resteasy:resteasy-core to version 4.6.0.Final or higher.

[,4.6.0.Final)

Denial of Service (DoS)

org.jboss.resteasy:resteasy-core is a JBoss.org project aimed at providing productivity frameworks for developing client and server RESTful applications and services in Java.

Affected versions of this package are vulnerable to Denial of Service (DoS). A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.

How to fix Denial of Service (DoS)?

Upgrade org.jboss.resteasy:resteasy-core to version 4.5.6.Final or higher.

[,4.5.6.Final)

Information Exposure

org.jboss.resteasy:resteasy-core is a JBoss.org project aimed at providing productivity frameworks for developing client and server RESTful applications and services in Java.

Affected versions of this package are vulnerable to Information Exposure. The endpoint class and method names are returned as part of the exception response when Resteasy cannot convert one of the request URI path / query / matrix parameters to a value expected by a given class resource/method method parameter.

How to fix Information Exposure?

Upgrade org.jboss.resteasy:resteasy-core to version 4.6.1, 4.5.10, 3.16.0 or higher.

[4.6.0,4.6.1)[4.0.0,4.5.10)[3.0.0,3.16.0)

org.jboss.resteasy:resteasy-core@4.1.1.Final vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?