CVE-2014-3490

Опубликовано: 23 июл. 2014

Источник: redhat

CVSS2: 5

EPSS Низкий

Описание

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.

It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat JBoss BRMS 5	resteasy	Will not fix
Red Hat JBoss Data Grid 6	resteasy	Affected
Red Hat JBoss Enterprise Application Platform 5	resteasy	Will not fix
Red Hat JBoss Enterprise Web Server 1	ewp-5	Will not fix
Red Hat JBoss Enterprise Web Server 1	others	Not affected
Red Hat JBoss Portal 5	resteasy	Will not fix
Red Hat JBoss SOA Platform 5	resteasy	Will not fix
Red Hat Satellite 6	resteasy	Fix deferred
Red Hat Subscription Asset Manager	candlepin	Not affected
Red Hat Subscription Asset Manager	resteasy	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-611

https://bugzilla.redhat.com/show_bug.cgi?id=1107901RESTEasy: XXE via parameter entities

EPSS

Процентиль: 89%

0.04646

Низкий

5 Medium

CVSS2

Связанные уязвимости

CVE-2014-3490

nvd

около 11 лет назад

GHSA-qjpq-5pq3-43rr

github

больше 3 лет назад

Incorrect Privilege Assignment in RESTEasy

ELSA-2014-1011

oracle-oval