CVE-2014-3490

Vulnerability Description

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.

CVSS Score

Affected Products

References

• http://rhn.redhat.com/errata/RHSA-2014-1011.htmlThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2014-1039.htmlThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2014-1040.htmlThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2014-1298.htmlThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2015-0125.htmlThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2015-0675.htmlThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2015-0720.htmlThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2015-0765.htmlThird Party Advisory
• http://secunia.com/advisories/60019Third Party Advisory
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlPatchThird Party Advisory
• http://www.securityfocus.com/bid/69058Third Party AdvisoryVDB Entry
• https://github.com/resteasy/Resteasy/pull/521Third Party Advisory
• https://github.com/resteasy/Resteasy/pull/533Third Party Advisory
• https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fcPatchThird Party Advisory
• http://rhn.redhat.com/errata/RHSA-2014-1011.htmlThird Party Advisory