CVE-2020-14326 — RESTEasy 4.5.5.Final in hash flooding

Description

A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.

How to fix CVE-2020-14326

To remediate CVE-2020-14326, upgrade the affected package to a fixed version below.

—upgrade to 4.5.6.Final or later

Is CVE-2020-14326 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.5.6.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-14326
PATCHgithub.com/resteasy/Resteasy
WEBbugzilla.redhat.com/show_bug.cgi?id=1855826
WEBgithub.com/resteasy/Resteasy/pull/2471
WEBsecurity.netapp.com