XML External Entity Reference in RESTEasy

CVE-2014-7839 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

Basic information

Type: reviewed
Severity: medium
Advisory on GitHub: Open advisory ↗
Repository advisory: —
Source code: Browse source ↗
Published (advisory): 2022-05-17 04:13:50 UTC
Updated: 2023-01-27 05:02:23 UTC
GitHub reviewed: 2022-06-17 01:12:47 UTC
NVD published: 2014-11-25

EPSS Score

Score	Percentile
1.26%	78.81%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

Type	Value
GHSA	GHSA-pc54-pchm-xcw6 ↗
CVE	CVE-2014-7839 ↗

CWEs

CWE id	Name
CWE-20	Improper Input Validation
CWE-611	Improper Restriction of XML External Entity Reference

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
maven	org.jboss.resteasy:resteasy-jaxrs	<= 3.0.10.Final	3.0.11.Final	—

References

cvelogic Threat Intelligence