CVE-2014-7839

CWE-20 — Improper Input Validation CWE-611 — XML External Entity (XXE)7 documents7 sources

Severity

6.4MEDIUM

EPSS

1.3%

top 20.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Resteasy

Timeline

PublishedNov 25

Latest updateMay 17

Description

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

CVSS vector

AV:N/AC:L/C:P/I:N/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages2 packages

▶Mavenorg.jboss.resteasy:resteasy-jaxrs< 3.0.11.Final

▶NVDredhat/resteasy2.3.7, 3.0.9+1

🔴Vulnerability Details

OSV

XML External Entity Reference in RESTEasy↗2022-05-17

▶

GHSA

XML External Entity Reference in RESTEasy↗2022-05-17

▶

CVEList

CVE-2014-7839: DocumentProvider in RESTEasy 2↗2014-11-25

▶

📋Vendor Advisories

Red Hat

RESTeasy: External entities expanded by DocumentProvider↗2014-11-18

▶

Debian

CVE-2014-7839: resteasy - DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external...↗2014

▶

💬Community

Bugzilla

CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider↗2014-11-18

▶