CVE-2020-1695

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.

Published: May 19, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-1695
GHSA: GHSA-63cq-ppq8-cw6g
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
redhat / resteasy	3.0.0	3.12.0
redhat / resteasy	4.0.0	4.6.0
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
org.jboss.resteasy / resteasy-client	4.0.0	4.6.0
org.jboss.resteasy / resteasy-client	3.0.0	3.12.0

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1695
https://github.com/resteasy/Resteasy/commit/88ba8537f2e8d465c7031d352bf9bb25526ce475
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RX22C6I56BJUER76IIPYHGZIWBQIU3CQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RX22C6I56BJUER76IIPYHGZIWBQIU3CQ/

Vulnerability Database

CVE-2020-1695