Описание
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Отчет
Not Vulnerable. HornetQ REST is not provided by any Red Hat product.
Меры по смягчению последствий
When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints: resteasy.document.expand.entity.references false Note that this setting has precedence over , and will override a contrary setting in an element.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Web Server 1 | all | Not affected | ||
| Red Hat Satellite 6 | hornetq | Not affected |
Показывать по
Дополнительная информация
Статус:
4.3 Medium
CVSS2
Связанные уязвимости
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
HornetQ REST vulnerable to Improper Restriction of XML External Entity Reference
4.3 Medium
CVSS2