CVE-2020-1695

NameCVE-2020-1695
DescriptionA flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1034804

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
resteasy (PTS)jessie3.0.6-2vulnerable
sid3.6.2-2vulnerable
resteasy3.0 (PTS)buster3.0.26-1vulnerable
bullseye3.0.26-2fixed
sid, trixie, bookworm3.0.26-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
resteasysourcejessie(unfixed)end-of-life
resteasysource(unstable)(unfixed)1034804
resteasy3.0source(unstable)3.0.26-2

Notes

[buster] - resteasy3.0 <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1730462
https://github.com/resteasy/Resteasy/commit/acf15f2a8067f7e4cf5838342cecfa0b78a174fb
Search for package or bug name: Reporting problems