Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1xanBxLTVwcTMtNDNycs4AAT1O

Incorrect Privilege Assignment in RESTEasy

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.

Permalink: https://github.com/advisories/GHSA-qjpq-5pq3-43rr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xanBxLTVwcTMtNDNycs4AAT1O
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago

Identifiers: GHSA-qjpq-5pq3-43rr, CVE-2014-3490
References:

• https://nvd.nist.gov/vuln/detail/CVE-2014-3490
• https://github.com/resteasy/Resteasy/pull/521
• https://github.com/resteasy/Resteasy/pull/533
• https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83
• http://rhn.redhat.com/errata/RHSA-2014-1011.html
• http://rhn.redhat.com/errata/RHSA-2014-1039.html
• http://rhn.redhat.com/errata/RHSA-2014-1040.html
• http://rhn.redhat.com/errata/RHSA-2014-1298.html
• http://rhn.redhat.com/errata/RHSA-2015-0125.html
• http://rhn.redhat.com/errata/RHSA-2015-0675.html
• http://rhn.redhat.com/errata/RHSA-2015-0720.html
• http://rhn.redhat.com/errata/RHSA-2015-0765.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• https://github.com/advisories/GHSA-qjpq-5pq3-43rr

Repository: https://github.com/resteasy/Resteasy
Blast Radius: 0.0

Affected Packages