XML External Entity (XXE) Injection Affecting resteasy-base-jackson-provider package, versions <0:2.3.5-3.el7_0


Severity

Recommended
0.0
medium
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.93% (84th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about XML External Entity (XXE) Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CENTOS7-RESTEASYBASEJACKSONPROVIDER-2035144
  • published26 Jul 2021
  • disclosed23 Jul 2014

Introduced: 23 Jul 2014

CVE-2014-3490  (opens in a new tab)
CWE-611  (opens in a new tab)

How to fix?

Upgrade Centos:7 resteasy-base-jackson-provider to version 0:2.3.5-3.el7_0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream resteasy-base-jackson-provider package and not the resteasy-base-jackson-provider package as distributed by Centos. See How to fix? for Centos:7 relevant fixed versions and status.

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.

CVSS Scores

version 3.1