CVE-2016-9606

HIGH

Redhat Resteasy < 3.1.1 - Improper Input Validation

Title source: rule

Description

JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.

Exploits (2)

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2016-9606-Resteasy-vulnerable

View Code ZIP pw:eip

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2016-9606-Resteasy-vulnerable

View Code ZIP pw:eip

References (16)

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2017-1255.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2017-1409.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/94940

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1038524

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1253

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1254

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1256

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1260

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1410

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1411

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1412

[Broken Link, Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1675

[Broken Link, Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1676

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1400644

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:2909

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2018:2913

Scores

CVSS v3 8.1

EPSS 0.0226

EPSS Percentile 84.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (2)

org.jboss.resteasy/resteasy-bom 0 - 3.1.2.FinalMaven

redhat/resteasy < 3.1.1

Published Mar 09, 2018

Tracked Since Feb 18, 2026