Vulnerability Details : CVE-2014-3490
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2014-3490
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:resteasy:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:resteasy:3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:redhat:resteasy:3.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:redhat:resteasy:3.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:redhat:resteasy:3.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:redhat:resteasy:3.0:beta6:*:*:*:*:*:*
- cpe:2.3:a:redhat:resteasy:3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:resteasy:3.0:beta2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-3490
0.88%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-3490
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
References for CVE-2014-3490
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CPU Oct 2018Patch;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1040.html
RHSA-2014:1040 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1298.html
RHSA-2014:1298 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://github.com/resteasy/Resteasy/pull/533
RESTEASY-1073 by liweinan · Pull Request #533 · resteasy/Resteasy · GitHubThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1039.html
Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-1011.html
RHSA-2014:1011 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/69058
RESTEasy Incomplete Fix XML Entity References Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
http://secunia.com/advisories/60019
Sign inThird Party Advisory
-
https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83
RESTEASY-1073: Prevent expansion of XML external parameter entities. · ronsigal/Resteasy@9b7d0f5 · GitHubPatch;Third Party Advisory
-
https://github.com/resteasy/Resteasy/pull/521
master branch by ronsigal · Pull Request #521 · resteasy/Resteasy · GitHubThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0720.html
RHSA-2015:0720 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0765.html
RHSA-2015:0765 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0675.html
RHSA-2015:0675 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-0125.html
Red Hat Customer PortalThird Party Advisory
Jump to