CVE-2021-20289
First published: Wed Mar 03 2021(Updated: )
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-apache-cxf | <0:3.3.12-1.redhat_00001.1.el6ea | 0:3.3.12-1.redhat_00001.1.el6ea |
| redhat/eap7-ironjacamar | <0:1.5.3-1.Final_redhat_00001.1.el6ea | 0:1.5.3-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jakarta-el | <0:3.0.3-3.redhat_00007.1.el6ea | 0:3.0.3-3.redhat_00007.1.el6ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.43-1.Final_redhat_00001.1.el6ea | 0:4.0.43-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-10.Final_redhat_00011.1.el6ea | 0:1.7.2-10.Final_redhat_00011.1.el6ea |
| redhat/eap7-jsoup | <0:1.14.2-1.redhat_00002.1.el6ea | 0:1.14.2-1.redhat_00002.1.el6ea |
| redhat/eap7-resteasy | <0:3.11.5-1.Final_redhat_00001.1.el6ea | 0:3.11.5-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-undertow | <0:2.0.41-1.SP1_redhat_00001.1.el6ea | 0:2.0.41-1.SP1_redhat_00001.1.el6ea |
| redhat/eap7-wildfly | <0:7.3.10-2.GA_redhat_00003.1.el6ea | 0:7.3.10-2.GA_redhat_00003.1.el6ea |
| redhat/eap7-wildfly-elytron | <0:1.10.15-1.Final_redhat_00001.1.el6ea | 0:1.10.15-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-wss4j | <0:2.2.7-1.redhat_00001.1.el6ea | 0:2.2.7-1.redhat_00001.1.el6ea |
| redhat/eap7-xml-security | <0:2.1.7-1.redhat_00001.1.el6ea | 0:2.1.7-1.redhat_00001.1.el6ea |
| redhat/eap7-apache-cxf | <0:3.3.12-1.redhat_00001.1.el7ea | 0:3.3.12-1.redhat_00001.1.el7ea |
| redhat/eap7-ironjacamar | <0:1.5.3-1.Final_redhat_00001.1.el7ea | 0:1.5.3-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jakarta-el | <0:3.0.3-3.redhat_00007.1.el7ea | 0:3.0.3-3.redhat_00007.1.el7ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.43-1.Final_redhat_00001.1.el7ea | 0:4.0.43-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-10.Final_redhat_00011.1.el7ea | 0:1.7.2-10.Final_redhat_00011.1.el7ea |
| redhat/eap7-jsoup | <0:1.14.2-1.redhat_00002.1.el7ea | 0:1.14.2-1.redhat_00002.1.el7ea |
| redhat/eap7-resteasy | <0:3.11.5-1.Final_redhat_00001.1.el7ea | 0:3.11.5-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-undertow | <0:2.0.41-1.SP1_redhat_00001.1.el7ea | 0:2.0.41-1.SP1_redhat_00001.1.el7ea |
| redhat/eap7-wildfly | <0:7.3.10-2.GA_redhat_00003.1.el7ea | 0:7.3.10-2.GA_redhat_00003.1.el7ea |
| redhat/eap7-wildfly-elytron | <0:1.10.15-1.Final_redhat_00001.1.el7ea | 0:1.10.15-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-wss4j | <0:2.2.7-1.redhat_00001.1.el7ea | 0:2.2.7-1.redhat_00001.1.el7ea |
| redhat/eap7-xml-security | <0:2.1.7-1.redhat_00001.1.el7ea | 0:2.1.7-1.redhat_00001.1.el7ea |
| redhat/eap7-apache-cxf | <0:3.3.12-1.redhat_00001.1.el8ea | 0:3.3.12-1.redhat_00001.1.el8ea |
| redhat/eap7-ironjacamar | <0:1.5.3-1.Final_redhat_00001.1.el8ea | 0:1.5.3-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jakarta-el | <0:3.0.3-3.redhat_00007.1.el8ea | 0:3.0.3-3.redhat_00007.1.el8ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.43-1.Final_redhat_00001.1.el8ea | 0:4.0.43-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-10.Final_redhat_00011.1.el8ea | 0:1.7.2-10.Final_redhat_00011.1.el8ea |
| redhat/eap7-jsoup | <0:1.14.2-1.redhat_00002.1.el8ea | 0:1.14.2-1.redhat_00002.1.el8ea |
| redhat/eap7-resteasy | <0:3.11.5-1.Final_redhat_00001.1.el8ea | 0:3.11.5-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-undertow | <0:2.0.41-1.SP1_redhat_00001.1.el8ea | 0:2.0.41-1.SP1_redhat_00001.1.el8ea |
| redhat/eap7-wildfly | <0:7.3.10-2.GA_redhat_00003.1.el8ea | 0:7.3.10-2.GA_redhat_00003.1.el8ea |
| redhat/eap7-wildfly-elytron | <0:1.10.15-1.Final_redhat_00001.1.el8ea | 0:1.10.15-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-wss4j | <0:2.2.7-1.redhat_00001.1.el8ea | 0:2.2.7-1.redhat_00001.1.el8ea |
| redhat/eap7-xml-security | <0:2.1.7-1.redhat_00001.1.el8ea | 0:2.1.7-1.redhat_00001.1.el8ea |
| redhat/eap7-resteasy | <0:3.15.2-1.Final_redhat_00001.1.el8ea | 0:3.15.2-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-resteasy | <0:3.15.2-1.Final_redhat_00001.1.el7ea | 0:3.15.2-1.Final_redhat_00001.1.el7ea |
| redhat/rh-sso7-keycloak | <0:15.0.4-1.redhat_00001.1.el7 | 0:15.0.4-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:15.0.4-1.redhat_00001.1.el8 | 0:15.0.4-1.redhat_00001.1.el8 |
| redhat/redhat-sso | <7-sso75-openshift-rhel8 | 7-sso75-openshift-rhel8 |
| redhat/resteasy | <3.11.5. | 3.11.5. |
| redhat/resteasy | <3.15.2. | 3.15.2. |
| redhat/resteasy | <4.5.10. | 4.5.10. |
| redhat/resteasy | <4.6.1. | 4.6.1. |
| redhat/resteasy | <4.6.2. | 4.6.2. |
| Red Hat Resteasy Base JAX-RS API | <=4.6.0 | |
| NetApp OnCommand Insight | ||
| Red Hat Quarkus | <1.13.4 | |
| Oracle Communications Cloud Native Core Console | =1.9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1935927
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://issues.redhat.com/browse/RESTEASY-2843
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1935927#c8
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1941544
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2021:3700
- https://access.redhat.com/security/cve/cve-2021-20289
- https://access.redhat.com/errata/RHSA-2021:3880
- https://access.redhat.com/errata/RHSA-2021:4100
- https://access.redhat.com/errata/RHSA-2021:4679
- https://access.redhat.com/errata/RHSA-2021:4676
- https://access.redhat.com/errata/RHSA-2021:4677
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/errata/RHSA-2021:5150
- https://access.redhat.com/errata/RHSA-2021:5151
- https://access.redhat.com/errata/RHSA-2021:5154
- https://access.redhat.com/errata/RHSA-2021:5149
- https://access.redhat.com/errata/RHSA-2021:5170
- https://access.redhat.com/errata/RHSA-2022:0146
- https://access.redhat.com/errata/RHSA-2022:0152
- https://access.redhat.com/errata/RHSA-2022:0151
- https://access.redhat.com/errata/RHSA-2022:0155
- https://access.redhat.com/errata/RHSA-2022:0164
- https://access.redhat.com/errata/RHSA-2022:1179
- https://access.redhat.com/errata/RHSA-2022:6407
- https://www.cve.org/CVERecord?id=CVE-2021-20289 https://nvd.nist.gov/vuln/detail/CVE-2021-20289
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-20289?
CVE-2021-20289 is classified as a high severity vulnerability.
How do I fix CVE-2021-20289?
To fix CVE-2021-20289, upgrade to a version of RESTEasy equal to or greater than 4.6.1.
Which versions of RESTEasy are affected by CVE-2021-20289?
RESTEasy versions up to and including 4.6.0.Final are affected by CVE-2021-20289.
What type of vulnerability is CVE-2021-20289?
CVE-2021-20289 is an information disclosure vulnerability.
Is CVE-2021-20289 still a threat if I upgrade my software?
If you upgrade to RESTEasy version 4.6.1 or later, CVE-2021-20289 will not pose a threat.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/references
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-20289
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/redhat
- canonical/red hat resteasy base jax-rs api
- version/red hat resteasy base jax-rs api/4.6.0
- vendor/netapp
- canonical/netapp oncommand insight
- vendor/quarkus
- canonical/red hat quarkus
- vendor/oracle
- canonical/oracle communications cloud native core console
- version/oracle communications cloud native core console/1.9.0