CVE-2017-7561

HIGH

Red Hat JBoss EAP 3.0.7-3.0.25.Final - Server-Side Cache Poisoning via JAX-RS Component

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-7561. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2017-7561, a vulnerability in RESTEasy. The exploit demonstrates the issue through test cases and vulnerable code snippets, specifically targeting validation and resource handling in RESTEasy applications.

Description

Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.

Exploits (2)

nomisec WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2017-7561-Resteasy-vulnerable

This repository contains a functional proof-of-concept for CVE-2017-7561, a vulnerability in RESTEasy. The exploit demonstrates the issue through test cases and vulnerable code snippets, specifically targeting validation and resource handling in RESTEasy applications.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: RESTEasy (versions 10.0.0.Final, 10.1.0.Final, 11.0.0.Final)
No auth needed
Prerequisites: Java environment · RESTEasy application deployment
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2017-7561-Resteasy-vulnerable

This repository contains a functional exploit PoC for CVE-2017-7561, a vulnerability in RESTEasy. The code includes test cases and resources that demonstrate the vulnerability, specifically targeting validation and CDI (Contexts and Dependency Injection) issues in RESTEasy applications.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: RESTEasy (versions 10.0.0.Final, 10.1.0.Final, 11.0.0.Final)
No auth needed
Prerequisites: RESTEasy application with vulnerable validation and CDI configurations
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (10)

Core 10
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0479
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0481
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/100465
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0002
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0004
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0003
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0480
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0005
Patch, Vendor Advisory x_refsource_misc
https://issues.jboss.org/browse/RESTEASY-1704
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0478

Scores

CVSS v3 7.5
EPSS 0.0107
EPSS Percentile 78.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-346 CWE-444
Status published
Products (16)
org.jboss.resteasy/resteasy-jaxrs 3.0.7.Final - 3.0.25.FinalMaven
Red Hat, Inc./resteasy 3.0.7 through before 4.0.0Beta1
redhat/jboss_enterprise_application_platform 3.0.7
redhat/jboss_enterprise_application_platform 3.0.8
redhat/jboss_enterprise_application_platform 3.1.0
redhat/jboss_enterprise_application_platform 3.1.1
redhat/jboss_enterprise_application_platform 3.1.2
redhat/jboss_enterprise_application_platform 3.1.4
redhat/jboss_enterprise_application_platform 3.1.5
redhat/jboss_enterprise_application_platform 3.2.3
... and 6 more
Published Sep 13, 2017
Tracked Since Feb 18, 2026