Published: 25/11/2014 Updated: 23/04/2015

CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10

VMScore: 570

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote malicious users to conduct XML external entity (XXE) attacks via unspecified vectors.

Vulnerable Product	Search on Vulmon	Subscribe to Product
redhat resteasy 3.0.9
redhat resteasy 2.3.7

Debian Bug report logs - #770544 resteasy: CVE-2014-7839: External entities expanded by DocumentProvider Package: src:resteasy; Maintainer for src:resteasy is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 22 Nov 2014 09:57:01 UT ...

Synopsis Moderate: Red Hat JBoss Enterprise Application Platform 633 update Type/Severity Security Advisory: Moderate Topic Updated packages that provide Red Hat JBoss Enterprise Application Platform633 and fix multiple security issues, several bugs, and add variousenhancements are now available for Red ...

It was found that the RESTEasy DocumentProvider did not set the external-parameter-entities and external-general-entities features appropriately, thus allowing external entity expansion A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and pot ...

CWE-20 https://issues.jboss.org/browse/RESTEASY-1130 http://secunia.com/advisories/62580 http://rhn.redhat.com/errata/RHSA-2015-0675.html http://rhn.redhat.com/errata/RHSA-2015-0773.html http://rhn.redhat.com/errata/RHSA-2015-0851.html http://rhn.redhat.com/errata/RHSA-2015-0850.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770544 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2014-7839

CVE-2014-7839

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect