CVE-2014-3490 — Incorrect Privilege Assignment in Redhat Resteasy

CWE-266 — Incorrect Privilege Assignment CWE-611 — XML External Entity (XXE) Injection7 documents6 sources

Severity

7.5HIGHNVD

CNA5.0GHSA5.0OSV5.0

EPSS

4.6%

top 10.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Resteasy Redhat Jboss Enterprise Application Platform

Timeline

PublishedAug 19

Latest updateMay 14

Description

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDredhat/jboss_enterprise_application_platform6.3.0

▶NVDredhat/resteasy3.0.0 — 3.0.9+2

Patches

Patch: www.oracle.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Incorrect Privilege Assignment in RESTEasy↗2022-05-14

▶

GHSA

Incorrect Privilege Assignment in RESTEasy↗2022-05-14

▶

CVEList

CVE-2014-3490: RESTEasy 2↗2014-08-19

▶

📋Vendor Advisories

Red Hat

RESTEasy: XXE via parameter entities↗2014-07-23

▶

💬Community

Bugzilla

CVE-2014-3490 RESTEasy: XXE via parameter entities [fedora-all]↗2014-08-14

▶

Bugzilla

CVE-2014-3490 RESTEasy: XXE via parameter entities↗2014-06-11

▶