CVE-2014-7839 – RESTeasy: External entities expanded by DocumentProvider
https://notcve.org/view.php?id=CVE-2014-7839
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors. DocumentProvider en RESTEasy 2.3.7 y 3.0.9 no configura las caracteristicas (1) external-general-entities o (2) external-parameter-entities, lo que permite a atacantes remotos realizar ataques de entidad externa XML (XXE) a través de vectores no especificados. It was found that the RESTEasy DocumentProvider did not set the external-parameter-entities and external-general-entities features appropriately, thus allowing external entity expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML eXternal Entity (XXE) attacks. • http://rhn.redhat.com/errata/RHSA-2015-0675.html http://rhn.redhat.com/errata/RHSA-2015-0773.html http://rhn.redhat.com/errata/RHSA-2015-0850.html http://rhn.redhat.com/errata/RHSA-2015-0851.html http://secunia.com/advisories/62580 https://issues.jboss.org/browse/RESTEASY-1130 https://access.redhat.com/security/cve/CVE-2014-7839 https://bugzilla.redhat.com/show_bug.cgi?id=1165328 • CWE-20: Improper Input Validation CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2014-3490 – RESTEasy: XXE via parameter entities
https://notcve.org/view.php?id=CVE-2014-3490
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818. RESTEasy 2.3.1 anterior a 2.3.8.SP2 y 3.x anterior a 3.0.9, utilizado en Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, no deshabilita entidades externas cuando el parámetro resteasy.document.expand.entity.references está configurado en falso, lo que permite a atacantes remotos leer ficheros arbitrarios y tener otro impacto no especificado a través de vectores no especificados, relacionado con un problema de entidad externa XML (XXE). NOTA: este vulnerabilidad existe debido a una solución incompleta para el CVE-2012-0818. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. • http://rhn.redhat.com/errata/RHSA-2014-1011.html http://rhn.redhat.com/errata/RHSA-2014-1039.html http://rhn.redhat.com/errata/RHSA-2014-1040.html http://rhn.redhat.com/errata/RHSA-2014-1298.html http://rhn.redhat.com/errata/RHSA-2015-0125.html http://rhn.redhat.com/errata/RHSA-2015-0675.html http://rhn.redhat.com/errata/RHSA-2015-0720.html http://rhn.redhat.com/errata/RHSA-2015-0765.html http://secunia.com/advisories/60019 http://www.oracle.com/technet • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2011-5245 – RESTEasy: XML eXternal Entity (XXE) flaw
https://notcve.org/view.php?id=CVE-2011-5245
The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818. La función ReadFrom en providers.jaxb.JAXBXmlTypeProvider en RESTEasy anterior a v2.3.2 permite a atacantes remotos leer archivos de su elección a través de una referencia de entidad externa en una entrada Java Architecture for XML Binding (JAXB), también conocido como ataque de inyección XML de entidad externa (XXE), una vulnerabilidad CVE-similar a 2.012-0.818. • http://rhn.redhat.com/errata/RHSA-2012-0441.html http://rhn.redhat.com/errata/RHSA-2012-0519.html http://rhn.redhat.com/errata/RHSA-2012-1056.html http://rhn.redhat.com/errata/RHSA-2012-1057.html http://rhn.redhat.com/errata/RHSA-2012-1058.html http://rhn.redhat.com/errata/RHSA-2012-1059.html http://rhn.redhat.com/errata/RHSA-2012-1125.html http://rhn.redhat.com/errata/RHSA-2014-0371.html http://rhn.redhat.com/errata/RHSA-2014-0372.html http://secuni • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2012-0818 – RESTEasy: XML eXternal Entity (XXE) flaw
https://notcve.org/view.php?id=CVE-2012-0818
RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack. RESTEasy anterior a v2.3.1 permite a atacantes remotos leer archivos de su elección a través de una referencia de entidad externa en un documento DOM, también conocido como un ataque de inyección XML de entidad externa (XXE) • http://rhn.redhat.com/errata/RHSA-2012-0441.html http://rhn.redhat.com/errata/RHSA-2012-0519.html http://rhn.redhat.com/errata/RHSA-2012-1056.html http://rhn.redhat.com/errata/RHSA-2012-1057.html http://rhn.redhat.com/errata/RHSA-2012-1058.html http://rhn.redhat.com/errata/RHSA-2012-1059.html http://rhn.redhat.com/errata/RHSA-2012-1125.html http://rhn.redhat.com/errata/RHSA-2014-0371.html http://rhn.redhat.com/errata/RHSA-2014-0372.html http://secuni • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •