6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-20293

GHSA ID

GHSA-5h26-c766-g93v

EPSS Score

0.39092%

CWE

CWE-79

Published

6/15/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-20293

CVE-2021-20293: Cross-Site Scripting

A reflected Cross-Site Scripting (XSS) flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final, where it did not properly handle URL encoding when calling @javax.ws.rs.PathParam without any @Produces MediaType. This flaw allows an attacker to launch a reflected XSS attack. The highest threat from this vulnerability is to data confidentiality and integrity.

(GitHub Advisory)

6.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-20293

GHSA ID

GHSA-5h26-c766-g93v

EPSS Score

0.39092%

CWE

CWE-79

Published

6/15/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jboss.resteasy:resteasy-bom	maven	<= 4.6.0.Final
org.jboss.resteasy:resteasy-core	maven	<= 4.6.0.Final

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from RESTEasy's handling of unannotated @PathParam values in responses. When a JAX-RS resource method uses @PathParam without @Produces, RESTEasy defaults to using StringTextStar message body writers which handle text/* media types. The StringTextStar provider's writeTo() method directly writes the string to the output stream without HTML encoding. When attackers inject malicious payloads into path parameters, the lack of output encoding combined with browser interpretation of unspecified Content-Type as text/html enables XSS. The combination of missing @Produces annotation and the unescaped output in StringTextStar.writeTo creates the vulnerability vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r**l**t** *ross-Sit* S*riptin* (XSS) *l*w w*s *oun* in R*ST**sy in *ll v*rsions o* R*ST**sy up to *.*.*.*in*l, w**r* it *i* not prop*rly **n*l* URL *n*o*in* w**n **llin* @j*v*x.ws.rs.P*t*P*r*m wit*out *ny @Pro*u**s M**i*Typ*. T*is *l*w *llows *n *t

Reasoning

T** vuln*r**ility st*ms *rom R*ST**sy's **n*lin* o* un*nnot*t** @P*t*P*r*m v*lu*s in r*spons*s. W**n * J*X-RS r*sour** m*t*o* us*s @P*t*P*r*m wit*out @Pro*u**s, R*ST**sy ****ults to usin* `Strin*T*xtSt*r` m*ss*** *o*y writ*rs w*i** **n*l* t*xt/* m**i

6.1

Basic Information

Concerned about an active attack path?

CVE-2021-20293: Cross-Site Scripting

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI