Описание
RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random values" in async jobs.
It was found that there was insufficient use of randam values in RESTEasy async jobs. An attacker could use this flaw to steal user data.
Меры по смягчению последствий
Don't enable Async Jobs Service as details in the section, "2.10. RESTEASY ASYNCHRONOUS JOB SERVICE" of JBoss EAP 7 Developing Web Services Applications documentation: https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/paged/developing-web-services-applications/chapter-2-developing-jax-rs-web-services
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | resteasy | Will not fix | ||
| Red Hat Enterprise Linux 7 | resteasy-base | Fix deferred | ||
| Red Hat Enterprise Virtualization 3 | vdsm-jsonrpc-java | Under investigation | ||
| Red Hat JBoss BRMS 5 | Security | Will not fix | ||
| Red Hat JBoss BRMS 6 | resteasy | Will not fix | ||
| Red Hat JBoss Data Grid 6 | Build | Not affected | ||
| Red Hat JBoss Data Grid 7 | resteasy | Affected | ||
| Red Hat JBoss Data Virtualization 6 | resteasy | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 5 | jbossas | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 6 | RESTEasy | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
3.5 Low
CVSS3
2.1 Low
CVSS2
Связанные уязвимости
RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random values" in async jobs.
RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random values" in async jobs.
RESTEasy allows remote authenticated users to obtain sensitive informa ...
Exposure of Sensitive Information to an Unauthorized Actor in RESTEasy
EPSS
3.5 Low
CVSS3
2.1 Low
CVSS2