CVE-2012-0818

RESTEasy: XML eXternal Entity (XXE) flaw

Severity Score

5.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.

RESTEasy anterior a v2.3.1 permite a atacantes remotos leer archivos de su elección a través de una referencia de entidad externa en un documento DOM, también conocido como un ataque de inyección XML de entidad externa (XXE)

Red Hat Enterprise Virtualization Manager is a visual tool for centrally managing collections of virtual machines running Red Hat Enterprise Linux and Microsoft Windows. These packages also include the Red Hat Enterprise Virtualization Manager REST API, a set of scriptable commands that give administrators the ability to perform queries and operations on Red Hat Enterprise Virtualization Manager. It was found that RESTEasy was vulnerable to XML External Entity attacks. If a remote attacker who is able to access the Red Hat Enterprise Virtualization Manager REST API submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM Document and JAXB input.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-01-19 CVE Reserved
2012-03-26 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (23)

URL	Tag	Source
http://secunia.com/advisories/48697	Third Party Advisory
http://secunia.com/advisories/48954	Third Party Advisory
http://secunia.com/advisories/57716	Third Party Advisory
http://secunia.com/advisories/57719	Third Party Advisory
http://www.osvdb.org/78679	Vdb Entry
http://www.securityfocus.com/bid/51748	Vdb Entry
http://www.securityfocus.com/bid/51766	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/72808	Vdb Entry

URL	Date	SRC

URL	Date	SRC
https://issues.jboss.org/browse/RESTEASY-637	2023-02-13

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2012-0441.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2012-0519.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2012-1056.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2012-1057.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2012-1058.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2012-1059.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2012-1125.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2014-0371.html	2023-02-13
http://rhn.redhat.com/errata/RHSA-2014-0372.html	2023-02-13
http://secunia.com/advisories/47818	2023-02-13
http://secunia.com/advisories/47832	2023-02-13
http://secunia.com/advisories/50084	2023-02-13
https://bugzilla.redhat.com/show_bug.cgi?id=785631	2014-04-03
https://access.redhat.com/security/cve/CVE-2012-0818	2014-04-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				<= 2.3.0 Search vendor "Redhat" for product "Resteasy" and version " <= 2.3.0"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				1.0.0 Search vendor "Redhat" for product "Resteasy" and version "1.0.0"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				1.0.1 Search vendor "Redhat" for product "Resteasy" and version "1.0.1"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				1.0.2 Search vendor "Redhat" for product "Resteasy" and version "1.0.2"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				1.1 Search vendor "Redhat" for product "Resteasy" and version "1.1"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				1.2 Search vendor "Redhat" for product "Resteasy" and version "1.2"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				2.0.0 Search vendor "Redhat" for product "Resteasy" and version "2.0.0"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				2.0.1 Search vendor "Redhat" for product "Resteasy" and version "2.0.1"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				2.1.0 Search vendor "Redhat" for product "Resteasy" and version "2.1.0"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				2.2.0 Search vendor "Redhat" for product "Resteasy" and version "2.2.0"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				2.2.1 Search vendor "Redhat" for product "Resteasy" and version "2.2.1"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				2.2.2 Search vendor "Redhat" for product "Resteasy" and version "2.2.2"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				2.2.3 Search vendor "Redhat" for product "Resteasy" and version "2.2.3"		-		Affected