CVE-2014-3490

Severity

75%

Complexity

99%

Confidentiality

106%

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.

CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

CVSS 2.0 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P).

Overview

Type

Red

First reported 10 years ago

2014-08-19 18:55:00

Last updated 5 years ago

2019-03-21 14:22:00

Affected Software

Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0

6.3.0

Red Hat RESTeasy

RedHat RESTeasy 3.0 beta1

3.0

RedHat RESTeasy 3.0 beta2

3.0

RedHat RESTeasy 3.0 beta3

3.0

RedHat RESTeasy 3.0 beta4

3.0

RedHat RESTeasy 3.0 beta5

3.0

RedHat RESTeasy 3.0 beta6

3.0

RedHat RESTeasy 3.0 release candidate 1

3.0

References

RHSA-2014:1011

Third Party Advisory

RHSA-2014:1039

Third Party Advisory

RHSA-2014:1040

Third Party Advisory

RHSA-2014:1298

Third Party Advisory

RHSA-2015:0125

Third Party Advisory

RHSA-2015:0675

Third Party Advisory

RHSA-2015:0720

Third Party Advisory

RHSA-2015:0765

Third Party Advisory

60019

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Patch, Third Party Advisory

69058

Third Party Advisory, VDB Entry

https://github.com/resteasy/Resteasy/pull/521

Third Party Advisory

https://github.com/resteasy/Resteasy/pull/533

Third Party Advisory

https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83

Patch, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.