ID CVE-2014-3490
Summary RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818. <a href="http://cwe.mitre.org/data/definitions/611.html" rel="nofollow">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:2.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:2.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:2.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:2.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:2.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:2.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:2.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:2.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:2.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:2.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:2.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:2.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:2.3.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:2.3.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:2.3.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:2.3.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0:beta4:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0:beta4:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0:beta5:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0:beta5:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0:beta6:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0:beta6:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:resteasy:3.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:resteasy:3.0.8:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 21-03-2019 - 14:22)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1107901
    title CVE-2014-3490 RESTEasy: XXE via parameter entities
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment resteasy-base is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011005
        • comment resteasy-base is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011006
      • AND
        • comment resteasy-base-atom-provider is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011009
        • comment resteasy-base-atom-provider is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011010
      • AND
        • comment resteasy-base-jackson-provider is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011017
        • comment resteasy-base-jackson-provider is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011018
      • AND
        • comment resteasy-base-javadoc is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011021
        • comment resteasy-base-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011022
      • AND
        • comment resteasy-base-jaxb-provider is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011025
        • comment resteasy-base-jaxb-provider is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011026
      • AND
        • comment resteasy-base-jaxrs is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011023
        • comment resteasy-base-jaxrs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011024
      • AND
        • comment resteasy-base-jaxrs-all is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011011
        • comment resteasy-base-jaxrs-all is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011012
      • AND
        • comment resteasy-base-jaxrs-api is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011019
        • comment resteasy-base-jaxrs-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011020
      • AND
        • comment resteasy-base-jettison-provider is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011013
        • comment resteasy-base-jettison-provider is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011014
      • AND
        • comment resteasy-base-providers-pom is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011015
        • comment resteasy-base-providers-pom is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011016
      • AND
        • comment resteasy-base-tjws is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011007
        • comment resteasy-base-tjws is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011008
    rhsa
    id RHSA-2014:1011
    released 2014-08-06
    severity Moderate
    title RHSA-2014:1011: resteasy-base security update (Moderate)
  • rhsa
    id RHSA-2014:1039
  • rhsa
    id RHSA-2014:1040
  • rhsa
    id RHSA-2014:1298
  • rhsa
    id RHSA-2015:0125
  • rhsa
    id RHSA-2015:0675
  • rhsa
    id RHSA-2015:0720
  • rhsa
    id RHSA-2015:0765
rpms
  • resteasy-base-0:2.3.5-3.el7_0
  • resteasy-base-atom-provider-0:2.3.5-3.el7_0
  • resteasy-base-jackson-provider-0:2.3.5-3.el7_0
  • resteasy-base-javadoc-0:2.3.5-3.el7_0
  • resteasy-base-jaxb-provider-0:2.3.5-3.el7_0
  • resteasy-base-jaxrs-0:2.3.5-3.el7_0
  • resteasy-base-jaxrs-all-0:2.3.5-3.el7_0
  • resteasy-base-jaxrs-api-0:2.3.5-3.el7_0
  • resteasy-base-jettison-provider-0:2.3.5-3.el7_0
  • resteasy-base-providers-pom-0:2.3.5-3.el7_0
  • resteasy-base-tjws-0:2.3.5-3.el7_0
refmap via4
bid 69058
confirm
misc https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83
secunia 60019
Last major update 21-03-2019 - 14:22
Published 19-08-2014 - 18:55
Back to Top