Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-1704

CVE-2017-7561 resteasy: Vary header not added by CORS filter leading to cache poisoning

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.1.4.Final
    • Fix Version/s: 4.0.0.Beta1
    • Component/s: jaxrs
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      To reproduce, enable the CorsFilter using the instruction at [1], and send an HTTP request that includes both a Host and an Origin header, where the Origin should be different than the Host, and should be a value that is configured to be allowed by the CorsFilter. Inspect the response headers. A 'Vary: Origin' header should be in the response, but isn't.

      [1] https://stackoverflow.com/questions/29388937/problems-resteasy-3-09-corsfilter/29390508#29390508

      Show
      To reproduce, enable the CorsFilter using the instruction at [1] , and send an HTTP request that includes both a Host and an Origin header, where the Origin should be different than the Host, and should be a value that is configured to be allowed by the CorsFilter. Inspect the response headers. A 'Vary: Origin' header should be in the response, but isn't. [1] https://stackoverflow.com/questions/29388937/problems-resteasy-3-09-corsfilter/29390508#29390508

      Description

      CVE-2017-7561 resteasy: Vary header not added by CORS filter leading to cache poisoning
      https://bugzilla.redhat.com/show_bug.cgi?id=1483823

      The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

      Resteasy versions >=3.0.7 are affected because they include the CORS Filter.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                asoldano Alessio Soldano
                Reporter:
                jshepher Jason Shepherd
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: