VDB
CVE-2017-14949
CVE-2017-14949
PUBLISHED
Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.
EPSS 0.32% · 55.4th percentile
Risk Scores
EPSS Score
0.32%
55.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | restlet | 2.0.14+repack-0ubuntu1, 0 |
| Ubuntu:16.04:LTS | restlet | 0, 2.0.14+repack-0ubuntu1 |
Exploit Intelligence
Timeline
- Nov 30, 2017 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 11, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-14949 third-party-advisory
- https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements third-party-advisory
- https://lgtm.com/blog/restlet_CVE-2017-14949 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-14949 third-party-advisory