Source: resteasy3.0 X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for resteasy3.0. CVE-2020-10688[0]: | A cross-site scripting (XSS) flaw was found in RESTEasy in versions | before 3.11.1.Final and before 4.5.3.Final, where it did not properly | handle URL encoding when the RESTEASY003870 exception occurs. An | attacker could use this flaw to launch a reflected XSS attack. https://bugzilla.redhat.com/show_bug.cgi?id=1814974 https://github.com/quarkusio/quarkus/issues/7248 https://issues.redhat.com/browse/RESTEASY-2519 (restricted) https://github.com/resteasy/Resteasy/pull/2320 https://github.com/resteasy/Resteasy/commit/3fe881cf945c06bdb16895fbc73bc620694d2ba7 (4.6.0.Final) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-10688 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10688 Please adjust the affected versions in the BTS as needed. __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
