org.jboss.resteasy:resteasy-jaxrs@2.3.10.Final vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.jboss.resteasy:resteasy-jaxrs package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Improper Input Validation

org.jboss.resteasy:resteasy-jaxrs is a JCP specification that provides a Java API for RESTful Web Services over the HTTP protocol.

Affected versions of this package are vulnerable to Improper Input Validation in MediaTypeHeaderDelegate.java class results in the class returning an illegal header that will be then integrated in the server's response.

How to fix Improper Input Validation?

Upgrade org.jboss.resteasy:resteasy-jaxrs to version 3.11.0.Final or higher.

[,3.11.0.Final)
  • H
HTTP Request Smuggling

org.jboss.resteasy:resteasy-jaxrs is a JCP specification that provides a Java API for RESTful Web Services over the HTTP protocol.

Affected versions of this package are vulnerable to HTTP Request Smuggling. It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

How to fix HTTP Request Smuggling?

Upgrade org.jboss.resteasy:resteasy-jaxrs to version 3.5.0.CR1, 3.0.25.Final or higher.

[3.1.0.Beta1,3.5.0.CR1) [,3.0.25.Final)
  • M
XML External Entity (XXE) Injection

org.jboss.resteasy:resteasy-jaxrs DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

[2.1-beta-1,3.0.0.Final) [2,2.3.7.Final) [2,2.3.9.Final) [2.3,2.3.8.SP3-redhat-2) [3.0.0.Final,3.0.10.Final)
  • M
Cross-site Scripting (XSS)

org.jboss.resteasy:resteasy-jaxrs is a JCP specification that provides a Java API for RESTful Web Services over the HTTP protocol.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It was found that the default exception handler in RESTEasy did not properly validate user input.

How to fix Cross-site Scripting (XSS)?

Upgrade org.jboss.resteasy:resteasy-jaxrs to version 3.0.20.Final, 3.1.0.CR1 or higher.

[0,3.0.20.Final) [3.1.0.Beta1,3.1.0.CR1)
  • M
Information Exposure

org.jboss.resteasy:resteasy-jaxrs is a JCP specification that provides a Java API for RESTful Web Services over the HTTP protocol.

Affected versions of this package are vulnerable to Information Exposure. It allows remote authenticated users to obtain sensitive information by leveraging insufficient use of random values in async jobs.

How to fix Information Exposure?

Upgrade org.jboss.resteasy:resteasy-jaxrs to version 3.1.0.CR1 or higher.

[,3.1.0.CR1)