CVE-2021-20289
MEDIUMRESTEasy < 4.6.0 - Information Exposure via Error Message
Title source: llmDescription
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
References (2)
Core 2
Core References
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1935927
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Scores
CVSS v3
5.3
EPSS
0.0008
EPSS Percentile
24.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-209
Status
published
Products (5)
netapp/oncommand_insight
oracle/communications_cloud_native_core_console
1.9.0
org.jboss.resteasy/resteasy-core
4.6.0 - 4.6.1Maven
quarkus/quarkus
< 1.13.4
redhat/resteasy
< 4.6.0
Published
Mar 26, 2021
Tracked Since
Feb 18, 2026