CVE-2017-7561
It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
Find out more about CVE-2017-7561 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 5.9 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | High |
| Availability Impact | None |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) | RHSA-2018:0005 | 2018-01-03 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server | RHSA-2018:0002 | 2018-01-03 |
| Red Hat JBoss EAP 7 | RHSA-2018:0003 | 2018-01-03 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server | RHSA-2018:0004 | 2018-01-03 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) | RHSA-2018:0005 | 2018-01-03 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server | RHSA-2018:0480 | 2018-03-12 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) | RHSA-2018:0481 | 2018-03-12 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) | RHSA-2018:0481 | 2018-03-12 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server | RHSA-2018:0479 | 2018-03-12 |
| Red Hat JBoss EAP 7 | RHSA-2018:0478 | 2018-03-12 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Single Sign-On 7 | resteasy | Will not fix |
| Red Hat JBoss Operations Network 3 | resteasy | Not affected |
| Red Hat JBoss Fuse 6 | resteasy | Will not fix |
| Red Hat JBoss Data Virtualization 6 | resteasy | Not affected |
| Red Hat JBoss Data Grid 7 | resteasy | Will not fix |
| Red Hat JBoss A-MQ 6 | resteasy | Will not fix |
