The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 provides a number of Atom JAX-RS MessageBodyReaders. These readers use Apache Abdera Parser which expands XML entities by default which represents a major XXE risk.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.apache.cxf:cxf-core(Maven) | 0 | 3.0.12 | N/A |
| org.apache.cxf:cxf-core(Maven) | 3.1.0 | 3.1.9 | N/A |
CVSS Metrics
