{
  "threat_severity" : "Moderate",
  "public_date" : "2016-09-01T00:00:00Z",
  "bugzilla" : {
    "description" : "RESTEasy: Use of the default exception handler in RESTEasy can lead to reflected XSS attack",
    "id" : "1372124",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1372124"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "draft"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-20",
  "details" : [ "Cross-site scripting (XSS) vulnerability in the default exception handler in RESTEasy allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.", "It was found that the default exception handler in RESTEasy did not properly validate user input. An attacker could use this flaw to launch a relected XSS attack." ],
  "statement" : "This issue affects the versions of RESTEasy as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having a security impact of Moderate. Additionally Red Hat Satellite does not use the default ExceptionMapper, and the custom exception handler does not allow return type of text/html. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.",
  "acknowledgement" : "Red Hat would like to thank Mikhail Egorov (Odin) for reporting this issue.",
  "package_state" : [ {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Not affected",
    "package_name" : "Build and Assembly",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "resteasy-base",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Virtualization 3",
    "fix_state" : "Under investigation",
    "package_name" : "vdsm-jsonrpc-java",
    "cpe" : "cpe:/a:redhat:enterprise_linux:7::hypervisor"
  }, {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Will not fix",
    "package_name" : "Security",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6",
    "fix_state" : "Not affected",
    "package_name" : "Build and Assembly",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 6",
    "fix_state" : "Not affected",
    "package_name" : "Build",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:6"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Affected",
    "package_name" : "resteasy",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Not affected",
    "package_name" : "Productization",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5",
    "fix_state" : "Will not fix",
    "package_name" : "jbossas",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "RESTEasy",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Affected",
    "package_name" : "REST",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "SwitchYard",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Not affected",
    "package_name" : "SwitchYard",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Will not fix",
    "package_name" : "REST",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat JBoss Portal 6",
    "fix_state" : "Not affected",
    "package_name" : "Requirements",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5",
    "fix_state" : "Will not fix",
    "package_name" : "Security",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Will not fix",
    "package_name" : "Security",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "Core",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager",
    "fix_state" : "Under investigation",
    "package_name" : "katello",
    "cpe" : "cpe:/a:rhel_sam:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-6347\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-6347" ],
  "name" : "CVE-2016-6347",
  "csaw" : false
}