CVE-2021-20293: Cross-Site Scripting
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.39092%
CWE
Published
6/15/2021
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jboss.resteasy:resteasy-bom | maven | <= 4.6.0.Final | |
org.jboss.resteasy:resteasy-core | maven | <= 4.6.0.Final |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from RESTEasy's handling of unannotated @PathParam values in responses. When a JAX-RS resource method uses @PathParam without @Produces, RESTEasy defaults to using StringTextStar
message body writers which handle text/* media types. The StringTextStar
provider's writeTo()
method directly writes the string to the output stream without HTML encoding. When attackers inject malicious payloads into path parameters, the lack of output encoding combined with browser interpretation of unspecified Content-Type as text/html enables XSS. The combination of missing @Produces annotation and the unescaped output in StringTextStar.writeTo
creates the vulnerability vector.