Miggo Logo

CVE-2021-20293: Cross-Site Scripting

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.39092%
Published
6/15/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jboss.resteasy:resteasy-bommaven<= 4.6.0.Final
org.jboss.resteasy:resteasy-coremaven<= 4.6.0.Final

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from RESTEasy's handling of unannotated @PathParam values in responses. When a JAX-RS resource method uses @PathParam without @Produces, RESTEasy defaults to using StringTextStar message body writers which handle text/* media types. The StringTextStar provider's writeTo() method directly writes the string to the output stream without HTML encoding. When attackers inject malicious payloads into path parameters, the lack of output encoding combined with browser interpretation of unspecified Content-Type as text/html enables XSS. The combination of missing @Produces annotation and the unescaped output in StringTextStar.writeTo creates the vulnerability vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r**l**t** *ross-Sit* S*riptin* (XSS) *l*w w*s *oun* in R*ST**sy in *ll v*rsions o* R*ST**sy up to *.*.*.*in*l, w**r* it *i* not prop*rly **n*l* URL *n*o*in* w**n **llin* @j*v*x.ws.rs.P*t*P*r*m wit*out *ny @Pro*u**s M**i*Typ*. T*is *l*w *llows *n *t

Reasoning

T** vuln*r**ility st*ms *rom R*ST**sy's **n*lin* o* un*nnot*t** @P*t*P*r*m v*lu*s in r*spons*s. W**n * J*X-RS r*sour** m*t*o* us*s @P*t*P*r*m wit*out @Pro*u**s, R*ST**sy ****ults to usin* `Strin*T*xtSt*r` m*ss*** *o*y writ*rs w*i** **n*l* t*xt/* m**i