The JAX-RS module in Apache CXF before 3.0.12 and 3.1.x before 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
apache cxf 3.1.4 |
||
apache cxf 3.1.3 |
||
apache cxf 3.1.1 |
||
apache cxf 3.1.2 |
||
apache cxf 3.1.6 |
||
apache cxf 3.1.0 |
||
apache cxf |
||
apache cxf 3.1.5 |
||
apache cxf 3.1.7 |
||
apache cxf 3.1.8 |
Vulmon