CVE-2016-9606

CWE-20Improper Input ValidationCWE-502Deserialization of Untrusted Data12 documents7 sources
Severity
8.1HIGH
EPSS
2.3%
top 15.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Redhat ResteasyRED Hat, Inc. Resteasy
Timeline
PublishedMar 9
Latest updateMay 14

Description

JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages4 packages

Mavenorg.jboss.resteasy:resteasy-bom< 3.1.2.Final
Debianresteasy3.0< 3.0.26-1+3
NVDredhat/resteasy3.1.1
CVEListV5red_hat,_inc./resteasy3.1.2, after 3.0.22, after 3.1.2+2

🔴Vulnerability Details

5
OSV
JBoss RESTEasy vulnerable to Improper Input Validation2022-05-14
GHSA
JBoss RESTEasy vulnerable to Improper Input Validation2022-05-14
GHSA
Deserialization of Untrusted Data in org.jboss.resteasy:resteasy-yaml-provider2022-05-13
OSV
CVE-2016-9606: JBoss RESTEasy before version 32018-03-09
CVEList
CVE-2016-9606: JBoss RESTEasy before version 32018-03-09

📋Vendor Advisories

3
Red Hat
resteasy: Unsafe unmarshalling in YamlProvider allows code execution2018-01-18
Red Hat
Resteasy: Yaml unmarshalling vulnerable to RCE2016-12-15
Debian
CVE-2016-9606: resteasy - JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with ...2016

💬Community

3
Bugzilla
CVE-2018-1051 resteasy: Unsafe unmarshalling in YamlProvider allows code execution2018-01-17
Bugzilla
CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE [fedora-all]2016-12-15
Bugzilla
CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE2016-12-01
CVE-2016-9606 (HIGH CVSS 8.1) | JBoss RESTEasy before version 3.1.2 | cvebase.io