CVE-2014-3490

RESTEasy: XXE via parameter entities

Severity Score

7.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.

RESTEasy 2.3.1 anterior a 2.3.8.SP2 y 3.x anterior a 3.0.9, utilizado en Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, no deshabilita entidades externas cuando el parámetro resteasy.document.expand.entity.references está configurado en falso, lo que permite a atacantes remotos leer ficheros arbitrarios y tener otro impacto no especificado a través de vectores no especificados, relacionado con un problema de entidad externa XML (XXE). NOTA: este vulnerabilidad existe debido a una solución incompleta para el CVE-2012-0818.

It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-05-14 CVE Reserved
2014-08-07 CVE Published
2024-03-31 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (16)

URL	Tag	Source
http://secunia.com/advisories/60019	Third Party Advisory
http://www.securityfocus.com/bid/69058	Third Party Advisory
https://github.com/resteasy/Resteasy/pull/521	Third Party Advisory
https://github.com/resteasy/Resteasy/pull/533	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	2019-03-21
https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83	2019-03-21

URL	Date	SRC
http://rhn.redhat.com/errata/RHSA-2014-1011.html	2019-03-21
http://rhn.redhat.com/errata/RHSA-2014-1039.html	2019-03-21
http://rhn.redhat.com/errata/RHSA-2014-1040.html	2019-03-21
http://rhn.redhat.com/errata/RHSA-2014-1298.html	2019-03-21
http://rhn.redhat.com/errata/RHSA-2015-0125.html	2019-03-21
http://rhn.redhat.com/errata/RHSA-2015-0675.html	2019-03-21
http://rhn.redhat.com/errata/RHSA-2015-0720.html	2019-03-21
http://rhn.redhat.com/errata/RHSA-2015-0765.html	2019-03-21
https://access.redhat.com/security/cve/CVE-2014-3490	2015-05-14
https://bugzilla.redhat.com/show_bug.cgi?id=1107901	2015-05-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				6.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.3.0"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				>= 2.3.1 <= 2.3.7.2 Search vendor "Redhat" for product "Resteasy" and version " >= 2.3.1 <= 2.3.7.2"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				>= 3.0.0 < 3.0.9 Search vendor "Redhat" for product "Resteasy" and version " >= 3.0.0 < 3.0.9"		-		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				3.0 Search vendor "Redhat" for product "Resteasy" and version "3.0"		beta1		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				3.0 Search vendor "Redhat" for product "Resteasy" and version "3.0"		beta2		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				3.0 Search vendor "Redhat" for product "Resteasy" and version "3.0"		beta3		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				3.0 Search vendor "Redhat" for product "Resteasy" and version "3.0"		beta4		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				3.0 Search vendor "Redhat" for product "Resteasy" and version "3.0"		beta5		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				3.0 Search vendor "Redhat" for product "Resteasy" and version "3.0"		beta6		Affected
Redhat Search vendor "Redhat"		Resteasy Search vendor "Redhat" for product "Resteasy"				3.0 Search vendor "Redhat" for product "Resteasy" and version "3.0"		rc1		Affected