Описание
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.
It was found that the RESTEasy DocumentProvider did not set the external-parameter-entities and external-general-entities features appropriately, thus allowing external entity expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML eXternal Entity (XXE) attacks.
Отчет
Red Hat Web Framework Kit has moved out of maintenance phase and is no longer supported by Red Hat Product Security. This issue is not currently planned to be addressed in any future updates. For additional information, refer to the Red Hat JBoss Middleware Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | resteasy-base | Affected | ||
| Red Hat JBoss BRMS 5 | resteasy | Will not fix | ||
| Red Hat JBoss Data Virtualization 6 | resteasy | Affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | resteasy | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | ewp-5 | Will not fix | ||
| Red Hat JBoss Fuse Service Works 6 | resteasy | Affected | ||
| Red Hat JBoss Operations Network 3 | resteasy | Affected | ||
| Red Hat JBoss Portal 5 | resteasy | Will not fix | ||
| Red Hat JBoss Portal 6 | resteasy | Affected | ||
| Red Hat JBoss SOA Platform 5 | resteasy | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
5 Medium
CVSS2
Связанные уязвимости
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1 ...
EPSS
5 Medium
CVSS2