CVE-2014-7839

DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

Published Bysecalert@redhat.com

Published DateNov 25, 2014, 15:59

Affected Versions(1)

org.jboss.resteasy:resteasy-jaxrs(Maven)

Introduced0

Fixed3.0.11.Final

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jboss.resteasy:resteasy-jaxrs(Maven)	0	3.0.11.Final	N/A

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

6.4

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

PARTIAL

References

Weakness Type (CWE):CWE-20

CVSS Metrics

Base Score

6.4

Vector String

AV:N/AC:L/Au:N/C:P/I:N/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

NONE

Availability (A)

PARTIAL