CVE-2014-0171
Odata4j: XML eXternal Entity (XXE) flaw
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
XML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.
Vulnerabilidad de entidad externa XML (XXE) en StaxXMLFactoryProvider2 en Odata4j, usado en Red Hat JBoss Data Virtualization anterior a 6.0.0 parche 4, permite a atacantes remotos leer archivos arbitrarios a través de peticiones modificadas a un endpoint REST.
It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-12-03 CVE Reserved
- 2015-01-12 CVE Published
- 2024-05-21 EPSS Updated
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-611: Improper Restriction of XML External Entity Reference
CAPEC
References (4)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://issues.jboss.org/browse/TEIID-2911 | 2024-08-06 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://rhn.redhat.com/errata/RHSA-2015-0034.html | 2020-03-26 | |
https://access.redhat.com/security/cve/CVE-2014-0171 | 2015-01-12 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1085555 | 2015-01-12 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Jboss Data Virtualization Search vendor "Redhat" for product "Jboss Data Virtualization" | <= 6.0.0 Search vendor "Redhat" for product "Jboss Data Virtualization" and version " <= 6.0.0" | - |
Affected
| ||||||
Odata4j Project Search vendor "Odata4j Project" | Odata4j Search vendor "Odata4j Project" for product "Odata4j" | - | - |
Affected
|