CVE-2016-8739

CWE-611 — XML External Entity (XXE)7 documents6 sources

Severity

7.5HIGH

EPSS

2.7%

top 14.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache CXF Apache Software Foundation Apache CXF

Timeline

PublishedAug 10

Latest updateMay 13

Description

The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.cxf:cxf-core3.1.0 — 3.1.9+1

▶NVDapache/cxf3.0.11+9

▶CVEListV5apache_software_foundation/apache_cxf3.1.x prior to 3.1.9, prior to 3.0.12+1

Patches

Patch: cxf.apache.org ↗Patch: cxf.apache.org ↗

🔴Vulnerability Details

OSV

Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS↗2022-05-13

▶

GHSA

Improper Restriction of XML External Entity Reference in Apache CXF JAX-RS↗2022-05-13

▶

CVEList

CVE-2016-8739: The JAX-RS module in Apache CXF prior to 3↗2017-08-10

▶

📋Vendor Advisories

Red Hat

apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE↗2016-12-19

▶

💬Community

Bugzilla

CVE-2016-6812 CVE-2016-8739 cxf: various flaws [fedora-all]↗2016-12-21

▶

Bugzilla

CVE-2016-8739 apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE↗2016-12-21

▶