Описание
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat BPM Suite 6 | cxf | Not affected | ||
| Red Hat JBoss BRMS 5 | cxf | Will not fix | ||
| Red Hat JBoss BRMS 6 | cxf | Not affected | ||
| Red Hat JBoss Data Grid 6 | cxf | Not affected | ||
| Red Hat JBoss Data Virtualization 6 | cxf | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | cxf | Under investigation | ||
| Red Hat JBoss Enterprise Application Platform 6 | cxf | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | cxf | Not affected | ||
| Red Hat JBoss Fuse 6 | cxf | Affected | ||
| Red Hat JBoss Fuse Service Works 6.0.0 | cxf | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
5.8 Medium
CVSS2
Связанные уязвимости
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS
EPSS
6.5 Medium
CVSS3
5.8 Medium
CVSS2