CVE-2014-3490 — Vulnetix

Try Vulnetix Request Demo

CVE-2014-3490 PUBLISHED CVSS 7.5 HIGH

Reported by redhat · Published August 19, 2014

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.

Risk Scores

CVSS v2.0

7.5

Affected Products

Vendor	Product	Versions
n/a	n/a	n/a
Maven	org.jboss.resteasy:resteasy-jaxb-provider	1.2.1-10.CP02_patch01, 1.2.1-10.CP02_patch01, 1.2.1-10.CP02_patch01
Maven	org.jboss.resteasy:resteasy-client	2.3.1, 2.3.1, 2.3.1
n/a	n/a	n/a, n/a, n/a

Timeline

Aug 19, 2014 CVE Published
Feb 4, 2022 EPSS Score
Mar 28, 2022 EPSS Score
May 19, 2022 EPSS Score
Jul 7, 2022 CVE Updated
Sep 1, 2022 EPSS Score
Oct 23, 2022 EPSS Score
Dec 14, 2022 EPSS Score
Feb 4, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Mar 28, 2023 EPSS Score
Jul 10, 2023 EPSS Score

References

x_refsource_MISC
RHSA-2015:0765 vendor-advisoryx_refsource_REDHAT
RHSA-2015:0675 vendor-advisoryx_refsource_REDHAT
60019 third-party-advisoryx_refsource_SECUNIA
RHSA-2015:0720 vendor-advisoryx_refsource_REDHAT
x_refsource_CONFIRM
x_refsource_CONFIRM
RHSA-2014:1039 vendor-advisoryx_refsource_REDHAT
69058 vdb-entryx_refsource_BID
RHSA-2015:0125 vendor-advisoryx_refsource_REDHAT
RHSA-2014:1040 vendor-advisoryx_refsource_REDHAT
x_refsource_CONFIRM
RHSA-2014:1011 vendor-advisoryx_refsource_REDHAT
RHSA-2014:1298 vendor-advisoryx_refsource_REDHAT
https://nvd.nist.gov/vuln/detail/CVE-2014-3490 advisory
https://github.com/advisories/GHSA-qjpq-5pq3-43rr advisory
https://bugzilla.redhat.com/CVE-2014-3490 url

Open in Interactive Console →