Candidate: CVE-2018-1051
PublicDate: 2018-01-25 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1051
 https://bugzilla.redhat.com/show_bug.cgi?id=1535411
Description:
 It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2
 was incomplete and Yaml unmarshalling in Resteasy is still possible via
 `Yaml.load()` in YamlProvider.
Ubuntu-Description:
Notes:
 msalvatore> Incomplete fix for CVE-2016-9606 not applied. That fix just disables
 msalvatore> the YamlProvider by default. There is no fix for this issue
 msalvatore> other than to mitigate it by requiring authentication and authorization
 msalvatore> on endpoints expecting YAML input.
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_resteasy:
upstream_resteasy: released (3.1.4-1)
precise/esm_resteasy: DNE
trusty_resteasy: DNE
trusty/esm_resteasy: DNE
xenial_resteasy: ignored (end of standard support, was needed)
artful_resteasy: ignored (reached end-of-life)
bionic_resteasy: DNE
cosmic_resteasy: DNE
disco_resteasy: ignored (reached end-of-life)
eoan_resteasy: not-affected (3.6.2-2)
focal_resteasy: not-affected (3.6.2-2)
groovy_resteasy: not-affected (3.6.2-2)
hirsute_resteasy: not-affected (3.6.2-2)
impish_resteasy: not-affected (3.6.2-2)
jammy_resteasy: not-affected (3.6.2-2)
devel_resteasy: not-affected (3.6.2-2)

Patches_resteasy3.0:
upstream_resteasy3.0: released (3.0.26-1)
precise/esm_resteasy3.0: DNE
trusty_resteasy3.0: DNE
trusty/esm_resteasy3.0: DNE
xenial_resteasy3.0: DNE
artful_resteasy3.0: DNE
bionic_resteasy3.0: not-affected (3.0.26-1)
cosmic_resteasy3.0: ignored (reached end-of-life)
disco_resteasy3.0: ignored (reached end-of-life)
eoan_resteasy3.0: not-affected (3.0.26-1)
focal_resteasy3.0: not-affected (3.0.26-1)
groovy_resteasy3.0: not-affected (3.0.26-1)
hirsute_resteasy3.0: not-affected (3.0.26-1)
impish_resteasy3.0: not-affected (3.0.26-1)
jammy_resteasy3.0: not-affected (3.0.26-1)
devel_resteasy3.0: not-affected (3.0.26-1)