CVE-2014-0170
Teiid: XML eXternal Entity (XXE) flaw in SQL/XML parsing
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Teiid before 8.4.3 and before 8.7 and Red Hat JBoss Data Virtualization 6.0.0 before patch 3 allows remote attackers to read arbitrary files via a crafted request to a REST endpoint, related to an XML External Entity (XXE) issue.
Teiid anterior a 8.4.3 y anterior a 8.7 y Red Hat JBoss Data Virtualization 6.0.0 anterior a patch 3 permiten a atacantes remotos leer ficheros arbitrarios a través de una solicitud manipulada en un endpoint REST, relacionado con un problema de entidad externa XML (XXE).
It was found that Teiid SQL/XML permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.
Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems—such as multiple databases, XML files, and even Hadoop systems—appear as a set of tables in a local database. This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data Virtualization 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-12-03 CVE Reserved
- 2014-09-24 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (7)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/61530 | Third Party Advisory | |
| http://www.securitytracker.com/id/1030886 | Vdb Entry | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/96192 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://issues.jboss.org/browse/TEIID-2911 | 2017-08-29 |
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-1284.html | 2017-08-29 | |
| https://access.redhat.com/security/cve/CVE-2014-0170 | 2014-09-23 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1085554 | 2014-09-23 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Data Virtualization Search vendor "Redhat" for product "Jboss Data Virtualization" | <= 6.0.0 Search vendor "Redhat" for product "Jboss Data Virtualization" and version " <= 6.0.0" | - |
Affected
| ||||||
| Jboss Search vendor "Jboss" | Teiid Search vendor "Jboss" for product "Teiid" | <= 8.6 Search vendor "Jboss" for product "Teiid" and version " <= 8.6" | - |
Affected
| ||||||
| Jboss Search vendor "Jboss" | Teiid Search vendor "Jboss" for product "Teiid" | 8.4 Search vendor "Jboss" for product "Teiid" and version "8.4" | - |
Affected
| ||||||