CVE-2021-20289 — Information Exposure via Error Message in Redhat Resteasy

CWE-209 — Information Exposure via Error Message CWE-668 — Resource Exposure10 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 74.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Quarkus Redhat Resteasy Oracle Communications Cloud Native Core Console

Timeline

PublishedMar 26

Latest updateJul 10

Description

A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶Ubunturedhat/resteasy< 3.0.6-3ubuntu0.1~esm1+3

▶NVDredhat/resteasy4.6.0

▶CVEListV5redhat/resteasyresteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final

▶NVDquarkus/quarkus< 1.13.4

▶NVDoracle/communications_cloud_native_core_console1.9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

resteasy vulnerabilities↗2025-03-13

▶

OSV

Exposure of class information in RESTEasy↗2021-04-07

▶

GHSA

Exposure of class information in RESTEasy↗2021-04-07

▶

CVEList

CVE-2021-20289: A flaw was found in RESTEasy in all versions of RESTEasy up to 4↗2021-03-26

▶

OSV

CVE-2021-20289: A flaw was found in RESTEasy in all versions of RESTEasy up to 4↗2021-03-26

▶

📋Vendor Advisories

Ubuntu

RESTEasy vulnerabilities↗2025-07-10

▶

Ubuntu

RESTEasy vulnerabilities↗2025-03-13

▶

Oracle

Oracle Oracle Communications Risk Matrix: CNC Console (RESTEasy) — CVE-2021-20289↗2022-04-15

▶

Red Hat

resteasy: Error message exposes endpoint class information↗2021-03-03

▶