CVE-2014-3530 — Sensitive Information Exposure in Redhat Jboss Enterprise Application Platform

CWE-200 — Sensitive Information Exposure CWE-611 — XML External Entity (XXE) Injection6 documents6 sources

Severity

7.5HIGHNVD

EPSS

2.1%

top 15.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform

Timeline

PublishedJul 22

Latest updateMay 14

Description

The org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDredhat/jboss_enterprise_application_platform5.2.0, 6.2.4+1

🔴Vulnerability Details

OSV

XML External Entity Reference in org.picketlink:picketlink-common↗2022-05-14

▶

GHSA

XML External Entity Reference in org.picketlink:picketlink-common↗2022-05-14

▶

CVEList

CVE-2014-3530: The org↗2014-07-22

▶

📋Vendor Advisories

Red Hat

PicketLink: XXE via insecure DocumentBuilderFactory usage↗2014-07-15

▶

💬Community

Bugzilla

CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage↗2014-06-25

▶