CVSS: 9.8EPSS: 1%CPEs: 10EXPL: 1CVE-2014-2228
https://notcve.org/view.php?id=CVE-2014-2228
The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote attackers to execute arbitrary code via unsafe deserialization of XML messages. La extensión XStream en HP Fortify SCA versiones anteriores a 2.2 RC3, permite a atacantes remotos ejecutar código arbitrario por medio de una deserialización no segura de mensajes XML. • https://web.archive.org/web/20140425095352/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Remote-code-execution-and-XML-Entity-Expansion-injection/ba-p/6403370 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14868
https://notcve.org/view.php?id=CVE-2017-14868
Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension. Las versiones anteriores a la 2.3.11 de Restlet Framework, al emplear SimpleXMLProvider, permiten que atacantes remotos acedan a archivos arbitrarios mediante un ataque de XXE en una petición HTTP de la API REST. Esto afecta al uso de la extensión Jax-rs. • https://github.com/restlet/restlet-framework-java/issues/1286 https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements https://lgtm.com/blog/restlet_CVE-2017-14868 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2017-14949
https://notcve.org/view.php?id=CVE-2017-14949
Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation. Las versiones anteriores a la 2.3.12 de Restlet Framework permiten que atacantes remotos accedan a archivos arbitrarios mediante una petición HTTP de la API REST que lleva a cabo un ataque XXE. Esto se debe a que solo las entidades externas (no entidades externas de parámetro) se consideran debidamente. Esto se relaciona con XmlRepresentation, DOMRepresentation, SaxRepresentation y JacksonRepresentation. • https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements https://lgtm.com/blog/restlet_CVE-2017-14949 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.0EPSS: 0%CPEs: 13EXPL: 0CVE-2014-1868
https://notcve.org/view.php?id=CVE-2014-1868
Restlet Framework 2.1.x before 2.1.7 and 2.x.x before 2.2 RC1, when using XMLRepresentation or XML serializers, allows attackers to cause a denial of service via an XML Entity Expansion (XEE) attack. Restlet Framework 2.1.x anterior a 2.1.7 y 2.x.x anterior a 2.2 RC1, cuando utiliza los serializadores XMLRepresentation o XML, permite a atacantes causar una denegación de servicio a través de un ataque de la expansión de la entidad XML (XEE). • http://secunia.com/advisories/56940 https://exchange.xforce.ibmcloud.com/vulnerabilities/91181 https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements •
CVSS: 7.5EPSS: 1%CPEs: 16EXPL: 0CVE-2013-4221 – Restlet: remote code execution due to insecure XML deserialization
https://notcve.org/view.php?id=CVE-2013-4221
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML. La configuración por defecto de la clase ObjectRepresentation en Restlet anterior a la versión 2.1.4 deserializa objetos desde fuentes no confiables usando Java XMLDecoder, lo que permite a atacantes remotos ejecutar código Java arbitrario a través de XML manipulado. • http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html http://restlet.org/learn/2.1/changes http://rhn.redhat.com/errata/RHSA-2013-1410.html http://rhn.redhat.com/errata/RHSA-2013-1862.html https://bugzilla.redhat.com/show_bug.cgi?id=995275 https://github.com/restlet/restlet-framework-java/issues/774 https://access.redhat.com/security/cve/CVE-2013-4221 • CWE-16: Configuration CWE-91: XML Injection (aka Blind XPath Injection) •