{"api_version":"1","generated_at":"2026-04-23T00:42:09+00:00","cve":"CVE-2021-20289","urls":{"html":"https://cve.report/CVE-2021-20289","api":"https://cve.report/api/cve/CVE-2021-20289.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-20289","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-20289"},"summary":{"title":"CVE-2021-20289","description":"A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-03-26 17:15:00","updated_at":"2022-05-10 15:45:00"},"problem_types":["CWE-209"],"metrics":[],"references":[{"url":"https://security.netapp.com/advisory/ntap-20210528-0008/","name":"https://security.netapp.com/advisory/ntap-20210528-0008/","refsource":"CONFIRM","tags":[],"title":"CVE-2021-20289 RESTEasy Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","name":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1935927","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1935927","refsource":"MISC","tags":[],"title":"1935927 – (CVE-2021-20289) CVE-2021-20289 resteasy: Error message exposes endpoint class information","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-20289","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-20289","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"20289","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"oncommand_insight","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"20289","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"communications_cloud_native_core_console","cpe6":"1.9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"20289","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"quarkus","cpe5":"quarkus","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"20289","vulnerable":"1","versionEndIncluding":"4.6.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"resteasy","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-20289","qid":"239885","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.2 on RHEL 8 (RHSA-2021:4677)"},{"cve":"CVE-2021-20289","qid":"239888","title":"Red Hat Update for JBoss Enterprise Application Platform 7.4.2 on RHEL 7 (RHSA-2021:4676)"},{"cve":"CVE-2021-20289","qid":"239965","title":"Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 7 (RHSA-2021:5150)"},{"cve":"CVE-2021-20289","qid":"239966","title":"Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 8 (RHSA-2021:5151)"},{"cve":"CVE-2021-20289","qid":"239967","title":"Red Hat Update for JBoss Enterprise Application Platform 7.3.10 on RHEL 6 (RHSA-2021:5149)"},{"cve":"CVE-2021-20289","qid":"980494","title":"Java (maven) Security Update for org.jboss.resteasy:resteasy-core (GHSA-244r-fcj3-ghjq)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-20289","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"resteasy","version":{"version_data":[{"version_value":"resteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-209"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1935927","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1935927"},{"url":"https://www.oracle.com/security-alerts/cpuapr2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuapr2022.html"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality."}]}},"nvd":{"publishedDate":"2021-03-26 17:15:00","lastModifiedDate":"2022-05-10 15:45:00","problem_types":["CWE-209"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*","versionEndIncluding":"4.6.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*","versionEndExcluding":"1.13.4","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"20289","Ordinal":"194330","Title":"CVE-2021-20289","CVE":"CVE-2021-20289","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"20289","Ordinal":"1","NoteData":"A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"20289","Ordinal":"2","NoteData":"2021-03-26","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"20289","Ordinal":"3","NoteData":"2021-10-06","Type":"Other","Title":"Modified"}]}}}