CVE-2020-1695 — Improper Input Validation in RESTEasy

Description

A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.

How to fix CVE-2020-1695

To remediate CVE-2020-1695, upgrade the affected package to a fixed version below.

—upgrade to 3.0.26-2 or later
—upgrade to 4.6.0 or later

Is CVE-2020-1695 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.0.26-2
>= 4.0.0, < 4.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-1695
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-1695
WEBbugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1695
WEBgithub.com/resteasy/Resteasy/commit/88ba8537f2e8d465c7031d352bf9bb25526ce475