Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xanBxLTVwcTMtNDNycs4AAT1O
Incorrect Privilege Assignment in RESTEasy
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.
Permalink: https://github.com/advisories/GHSA-qjpq-5pq3-43rrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xanBxLTVwcTMtNDNycs4AAT1O
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
Identifiers: GHSA-qjpq-5pq3-43rr, CVE-2014-3490
References:
- https://nvd.nist.gov/vuln/detail/CVE-2014-3490
- https://github.com/resteasy/Resteasy/pull/521
- https://github.com/resteasy/Resteasy/pull/533
- https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83
- http://rhn.redhat.com/errata/RHSA-2014-1011.html
- http://rhn.redhat.com/errata/RHSA-2014-1039.html
- http://rhn.redhat.com/errata/RHSA-2014-1040.html
- http://rhn.redhat.com/errata/RHSA-2014-1298.html
- http://rhn.redhat.com/errata/RHSA-2015-0125.html
- http://rhn.redhat.com/errata/RHSA-2015-0675.html
- http://rhn.redhat.com/errata/RHSA-2015-0720.html
- http://rhn.redhat.com/errata/RHSA-2015-0765.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://github.com/advisories/GHSA-qjpq-5pq3-43rr
Blast Radius: 0.0
Affected Packages
maven:org.jboss.resteasy:resteasy-client
Dependent packages: 721Dependent repositories: 6,292
Downloads:
Affected Version Ranges: >= 3.0.0, <= 3.0.8.Final, >= 2.3.1, <= 2.3.8.SP1
Fixed in: 3.0.9.Final, 2.3.8.SP2
All affected versions:
All unaffected versions: