Vulnerability Details : CVE-2016-8739
The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
Vulnerability category: XML external entity (XXE) injection
Products affected by CVE-2016-8739
- cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:3.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:3.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:3.1.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-8739
2.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-8739
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:C/I:N/A:N |
10.0
|
6.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-8739
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-8739
-
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html - Pony Mail
-
https://access.redhat.com/errata/RHSA-2017:0868
RHSA-2017:0868 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.htm
-
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html - Pony Mail
-
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html - Pony Mail
-
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html - Pony Mail
-
http://www.securitytracker.com/id/1037544
Apache CXF XML External Entity Processing Flaw in JAX-RS Abdera Parser Lets Remote Users Obtain Potentially Sensitive Information - SecurityTrackerThird Party Advisory;VDB Entry
-
http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc
Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html - Pony Mail
-
http://www.securityfocus.com/bid/97579
Apache CXF JAX-RS CVE-2016-8739 XML External Entity Injection VulnerabilityThird Party Advisory;VDB Entry
Jump to