High severityNVD Advisory· Published May 19, 2020· Updated Aug 4, 2024
CVE-2020-1695
CVE-2020-1695
Description
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jboss.resteasy:resteasy-clientMaven | >= 4.0.0, < 4.6.0 | 4.6.0 |
org.jboss.resteasy:resteasy-clientMaven | >= 3.0.0, < 3.12.0 | 3.12.0 |
Affected products
1Patches
188ba8537f2e8[RESTEASY-2569] backporting fix
3 files changed · +21 −6
resteasy-client-microprofile/src/main/java/org/jboss/resteasy/microprofile/client/header/ClientHeadersRequestFilter.java+1 −1 modified@@ -39,7 +39,7 @@ public void filter(ClientRequestContext requestContext) { Optional<ClientHeaderProvider> handler = ClientHeaderProviders.getProvider(method); handler.ifPresent(h -> h.addHeaders(headers)); - Optional<ClientHeadersFactory> factory = ClientHeaderProviders.getFactory(method.getDeclaringClass()); + Optional<ClientHeadersFactory> factory = ClientHeaderProviders.getFactory(ClientRequestContextUtils.getDeclaringClass(requestContext)); requestContext.getHeaders().forEach( (key, values) -> headers.put(key, castToListOfStrings(values))
resteasy-client-microprofile/src/main/java/org/jboss/resteasy/microprofile/client/utils/ClientRequestContextUtils.java+13 −0 modified@@ -25,6 +25,19 @@ public static Method getMethod(ClientRequestContext requestContext) { return invocation.getClientInvoker().getMethod(); } + /** + * Get {@link Class} for the client call from {@link ClientRequestContext} + * @param requestContext the context + * @return the class + */ + public static Class<?> getDeclaringClass(ClientRequestContext requestContext) { + if(requestContext instanceof ClientRequestContextImpl == false) { + throw new RuntimeException("Failed to get ClientInvocation from request context. Is RestEasy client used underneath?"); + } + ClientInvocation invocation = ((ClientRequestContextImpl)requestContext).getInvocation(); + return invocation.getClientInvoker().getDeclaring(); + } + private ClientRequestContextUtils() { } }
resteasy-client-microprofile/src/test/java/org/jboss/resteasy/microprofile/client/ClientHeadersFactoryCDITest.java+7 −5 modified@@ -36,24 +36,26 @@ static class Worker { @Inject @RestClient - private TestResourceIntf service; + private SubClassResourceIntf service; public String work() { return service.hello("Stefano"); } } @Path("/") - @RegisterRestClient(baseUri="http://localhost:8081") - @RegisterClientHeaders(TestClientHeadersFactory.class) - @ClientHeaderParam(name="IntfHeader", value="intfValue") public interface TestResourceIntf { @Path("hello/{h}") @GET String hello(@PathParam("h") String h); } + @RegisterRestClient(baseUri="http://localhost:8081") + @RegisterClientHeaders(TestClientHeadersFactory.class) + @ClientHeaderParam(name="IntfHeader", value="intfValue") + public interface SubClassResourceIntf extends TestResourceIntf {}; + @Path("/") public static class TestResource { @@ -102,7 +104,7 @@ public Set<Class<?>> getClasses() { public static void init() throws Exception { Weld weld = new Weld(); weld.addBeanClass(Worker.class); - weld.addBeanClass(TestResourceIntf.class); + weld.addBeanClass(SubClassResourceIntf.class); weld.addBeanClass(TestClientHeadersFactory.class); weld.addBeanClass(Counter.class); container = weld.initialize();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-63cq-ppq8-cw6gghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHL/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RX22C6I56BJUER76IIPYHGZIWBQIU3CQ/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-1695ghsaADVISORY
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/resteasy/Resteasy/commit/88ba8537f2e8d465c7031d352bf9bb25526ce475ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IJDMT443YZWCBS5NS76XZ7TL3GK7BXHLghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RX22C6I56BJUER76IIPYHGZIWBQIU3CQghsaWEB
News mentions
0No linked articles in our index yet.