Upstream information
CVE-2020-1695 at MITRE
Description
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having important severity.
CVSS v2 Scores
| | National Vulnerability Database |
|---|
| Base Score | 5 |
| Vector | AV:N/AC:L/Au:N/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
CVSS v3 Scores
| | National Vulnerability Database |
|---|
| Base Score | 7.5 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | None |
| Integrity Impact | High |
| Availability Impact | None |
| CVSSv3 Version | 3.1 |
SUSE Bugzilla entry:
1172141 [NEW]
No SUSE Security Announcements cross referenced.
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|
| SUSE Liberty Linux 8 | apache-commons-collections >= 3.2.2-10.module+el8.1.0+3366+6dfb954capache-commons-lang >= 2.6-21.module+el8.1.0+3366+6dfb954capache-commons-net >= 3.6-3.module+el8.3.0+6805+72837426bea-stax-api >= 1.2.0-16.module+el8.1.0+3366+6dfb954cglassfish-fastinfoset >= 1.2.13-9.module+el8.1.0+3366+6dfb954cglassfish-jaxb-api >= 2.2.12-8.module+el8.1.0+3366+6dfb954cglassfish-jaxb-core >= 2.2.11-11.module+el8.1.0+3366+6dfb954cglassfish-jaxb-runtime >= 2.2.11-11.module+el8.1.0+3366+6dfb954cglassfish-jaxb-txw2 >= 2.2.11-11.module+el8.1.0+3366+6dfb954cjackson-annotations >= 2.10.0-1.module+el8.2.0+5059+3eb3af25jackson-core >= 2.10.0-1.module+el8.2.0+5059+3eb3af25jackson-databind >= 2.10.0-1.module+el8.2.0+5059+3eb3af25jackson-jaxrs-json-provider >= 2.9.9-1.module+el8.1.0+3832+9784644djackson-jaxrs-providers >= 2.9.9-1.module+el8.1.0+3832+9784644djackson-module-jaxb-annotations >= 2.7.6-4.module+el8.1.0+3366+6dfb954cjakarta-commons-httpclient >= 3.1-28.module+el8.1.0+3366+6dfb954cjavassist >= 3.18.1-8.module+el8.1.0+3366+6dfb954cjavassist-javadoc >= 3.18.1-8.module+el8.1.0+3366+6dfb954cjss >= 4.8.1-2.module+el8.4.0+10451+3e5b5448jss-javadoc >= 4.8.1-2.module+el8.4.0+10451+3e5b5448ldapjdk >= 4.22.0-1.module+el8.3.0+6784+6e1e4c62ldapjdk-javadoc >= 4.22.0-1.module+el8.3.0+6784+6e1e4c62pki-acme >= 10.10.5-2.module+el8.4.0+10466+9830f79epki-base >= 10.10.5-2.module+el8.4.0+10466+9830f79epki-base-java >= 10.10.5-2.module+el8.4.0+10466+9830f79epki-ca >= 10.10.5-2.module+el8.4.0+10466+9830f79epki-kra >= 10.10.5-2.module+el8.4.0+10466+9830f79epki-server >= 10.10.5-2.module+el8.4.0+10466+9830f79epki-servlet-4.0-api >= 9.0.30-1.module+el8.3.0+6730+8f9c6254pki-servlet-engine >= 9.0.30-1.module+el8.3.0+6730+8f9c6254pki-symkey >= 10.10.5-2.module+el8.4.0+10466+9830f79epki-tools >= 10.10.5-2.module+el8.4.0+10466+9830f79epython-nss-doc >= 1.0.1-10.module+el8.1.0+3366+6dfb954cpython3-nss >= 1.0.1-10.module+el8.1.0+3366+6dfb954cpython3-pki >= 10.10.5-2.module+el8.4.0+10466+9830f79erelaxngDatatype >= 2011.1-7.module+el8.1.0+3366+6dfb954cresteasy >= 3.0.26-6.module+el8.4.0+8891+bb8828efslf4j >= 1.7.25-4.module+el8.1.0+3366+6dfb954cslf4j-jdk14 >= 1.7.25-4.module+el8.1.0+3366+6dfb954cstax-ex >= 1.7.7-8.module+el8.2.0+5723+4574fbfftomcatjss >= 7.6.1-1.module+el8.4.0+8778+d07929ffvelocity >= 1.7-24.module+el8.1.0+3366+6dfb954cxalan-j2 >= 2.7.1-38.module+el8.1.0+3366+6dfb954cxerces-j2 >= 2.11.0-34.module+el8.1.0+3366+6dfb954cxml-commons-apis >= 1.4.01-25.module+el8.1.0+3366+6dfb954cxml-commons-resolver >= 1.2-26.module+el8.1.0+3366+6dfb954cxmlstreambuffer >= 1.5.4-8.module+el8.2.0+5723+4574fbffxsom >= 0-19.20110809svn.module+el8.1.0+3366+6dfb954c
| Patchnames:
RHSA-2021:1775 |
SUSE Timeline for this CVE
CVE page created: Wed Apr 15 07:54:16 2020
CVE page last modified: Mon Oct 30 18:06:46 2023