Miggo Logo

CVE-2020-25724: Unsynchronized Access to Shared Data in a Multithreaded Context in RESTEasy

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.33813%
Published
6/8/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jboss.resteasy:resteasy-bommaven<= 2.0-beta-12.0-beta-2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper synchronization in HTTP response handling. While no patch is available for analysis, the CWE-567 classification and advisory descriptions point to response object reuse issues. ClientResponse.getEntity() is a prime candidate as it handles the deserialized response content. In vulnerable versions, concurrent access to this method without synchronization could allow response data from one thread to be exposed to another through shared ClientResponse instances. This matches the described information disclosure impact and multithreaded context weakness.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in R*ST**sy, w**r* *n in*orr**t r*spons* to *n *TTP r*qu*st is provi***. T*is *l*w *llows *n *tt**k*r to **in ****ss to privil**** in*orm*tion. T** *i***st t*r**t *rom t*is vuln*r**ility is to *on*i**nti*lity *n* int**rity. V*rsions

Reasoning

T** vuln*r**ility st*ms *rom improp*r syn**roniz*tion in *TTP r*spons* **n*lin*. W*il* no p*t** is *v*il**l* *or *n*lysis, t** *W*-*** *l*ssi*i**tion *n* **visory **s*riptions point to r*spons* o*j**t r*us* issu*s. `*li*ntR*spons*.**t*ntity()` is * p