// For flags

CVE-2012-0818

RESTEasy: XML eXternal Entity (XXE) flaw

Severity Score

5.3
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.

RESTEasy anterior a v2.3.1 permite a atacantes remotos leer archivos de su elección a través de una referencia de entidad externa en un documento DOM, también conocido como un ataque de inyección XML de entidad externa (XXE)

Red Hat Enterprise Virtualization Manager is a visual tool for centrally managing collections of virtual machines running Red Hat Enterprise Linux and Microsoft Windows. These packages also include the Red Hat Enterprise Virtualization Manager REST API, a set of scriptable commands that give administrators the ability to perform queries and operations on Red Hat Enterprise Virtualization Manager. It was found that RESTEasy was vulnerable to XML External Entity attacks. If a remote attacker who is able to access the Red Hat Enterprise Virtualization Manager REST API submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM Document and JAXB input.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2012-01-19 CVE Reserved
  • 2012-03-26 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
<= 2.3.0
Search vendor "Redhat" for product "Resteasy" and version " <= 2.3.0"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
1.0.0
Search vendor "Redhat" for product "Resteasy" and version "1.0.0"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
1.0.1
Search vendor "Redhat" for product "Resteasy" and version "1.0.1"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
1.0.2
Search vendor "Redhat" for product "Resteasy" and version "1.0.2"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
1.1
Search vendor "Redhat" for product "Resteasy" and version "1.1"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
1.2
Search vendor "Redhat" for product "Resteasy" and version "1.2"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
2.0.0
Search vendor "Redhat" for product "Resteasy" and version "2.0.0"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
2.0.1
Search vendor "Redhat" for product "Resteasy" and version "2.0.1"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
2.1.0
Search vendor "Redhat" for product "Resteasy" and version "2.1.0"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
2.2.0
Search vendor "Redhat" for product "Resteasy" and version "2.2.0"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
2.2.1
Search vendor "Redhat" for product "Resteasy" and version "2.2.1"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
2.2.2
Search vendor "Redhat" for product "Resteasy" and version "2.2.2"
-
Affected
Redhat
Search vendor "Redhat"
Resteasy
Search vendor "Redhat" for product "Resteasy"
2.2.3
Search vendor "Redhat" for product "Resteasy" and version "2.2.3"
-
Affected