CVE-2020-10688

NameCVE-2020-10688
DescriptionA cross-site scripting (XSS) flaw was found in RESTEasy in versions before 3.11.1.Final and before 4.5.3.Final, where it did not properly handle URL encoding when the RESTEASY003870 exception occurs. An attacker could use this flaw to launch a reflected XSS attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs970328, 1015001

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
resteasy (PTS)jessie3.0.6-2vulnerable
sid3.6.2-2vulnerable
resteasy3.0 (PTS)buster3.0.26-1vulnerable
bullseye3.0.26-2vulnerable
sid, trixie, bookworm3.0.26-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
resteasysourcejessie(unfixed)end-of-life
resteasysource(unstable)(unfixed)970328
resteasy3.0source(unstable)3.0.26-41015001

Notes

[bullseye] - resteasy3.0 <no-dsa> (Minor issue)
[buster] - resteasy3.0 <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1814974
https://github.com/quarkusio/quarkus/issues/7248
https://issues.redhat.com/browse/RESTEASY-2519 (restricted)
https://github.com/resteasy/Resteasy/pull/2320
https://github.com/resteasy/Resteasy/commit/3fe881cf945c06bdb16895fbc73bc620694d2ba7 (4.6.0.Final)
Search for package or bug name: Reporting problems