Vulnerabilites related to restlet - restlet
CVE-2017-14949 (GCVE-0-2017-14949)
Vulnerability from cvelistv5
Published
2017-11-30 18:00
Modified
2024-08-05 19:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements | x_refsource_MISC | |
| https://lgtm.com/blog/restlet_CVE-2017-14949 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:42:22.379Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lgtm.com/blog/restlet_CVE-2017-14949"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-30T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lgtm.com/blog/restlet_CVE-2017-14949"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14949",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements",
"refsource": "MISC",
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"name": "https://lgtm.com/blog/restlet_CVE-2017-14949",
"refsource": "MISC",
"url": "https://lgtm.com/blog/restlet_CVE-2017-14949"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14949",
"datePublished": "2017-11-30T18:00:00",
"dateReserved": "2017-09-29T00:00:00",
"dateUpdated": "2024-08-05T19:42:22.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-14868 (GCVE-0-2017-14868)
Vulnerability from cvelistv5
Published
2017-11-30 18:00
Modified
2024-08-05 19:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements | x_refsource_MISC | |
| https://lgtm.com/blog/restlet_CVE-2017-14868 | x_refsource_MISC | |
| https://github.com/restlet/restlet-framework-java/issues/1286 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:42:21.581Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lgtm.com/blog/restlet_CVE-2017-14868"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/1286"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-30T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lgtm.com/blog/restlet_CVE-2017-14868"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/1286"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14868",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements",
"refsource": "MISC",
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"name": "https://lgtm.com/blog/restlet_CVE-2017-14868",
"refsource": "MISC",
"url": "https://lgtm.com/blog/restlet_CVE-2017-14868"
},
{
"name": "https://github.com/restlet/restlet-framework-java/issues/1286",
"refsource": "MISC",
"url": "https://github.com/restlet/restlet-framework-java/issues/1286"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14868",
"datePublished": "2017-11-30T18:00:00",
"dateReserved": "2017-09-28T00:00:00",
"dateUpdated": "2024-08-05T19:42:21.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4221 (GCVE-0-2013-4221)
Vulnerability from cvelistv5
Published
2013-10-10 00:00
Modified
2024-08-06 16:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2013-1862.html | vendor-advisory, x_refsource_REDHAT | |
| http://restlet.org/learn/2.1/changes | x_refsource_CONFIRM | |
| http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html | x_refsource_MISC | |
| https://bugzilla.redhat.com/show_bug.cgi?id=995275 | x_refsource_CONFIRM | |
| https://github.com/restlet/restlet-framework-java/issues/774 | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2013-1410.html | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:38:01.958Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2013:1862",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1862.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://restlet.org/learn/2.1/changes"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=995275"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/774"
},
{
"name": "RHSA-2013:1410",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1410.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-12-30T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2013:1862",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1862.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://restlet.org/learn/2.1/changes"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=995275"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/774"
},
{
"name": "RHSA-2013:1410",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1410.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4221",
"datePublished": "2013-10-10T00:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:38:01.958Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-4271 (GCVE-0-2013-4271)
Vulnerability from cvelistv5
Published
2013-10-10 00:00
Modified
2024-08-06 16:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221.
References
| ▼ | URL | Tags |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2013-1862.html | vendor-advisory, x_refsource_REDHAT | |
| https://github.com/restlet/restlet-framework-java/issues/778 | x_refsource_CONFIRM | |
| http://restlet.org/learn/2.1/changes | x_refsource_CONFIRM | |
| https://bugzilla.redhat.com/show_bug.cgi?id=999735 | x_refsource_CONFIRM | |
| http://rhn.redhat.com/errata/RHSA-2013-1410.html | vendor-advisory, x_refsource_REDHAT |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:38:01.864Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2013:1862",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1862.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/778"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://restlet.org/learn/2.1/changes"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=999735"
},
{
"name": "RHSA-2013:1410",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1410.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-12-30T19:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2013:1862",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1862.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/778"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://restlet.org/learn/2.1/changes"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=999735"
},
{
"name": "RHSA-2013:1410",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1410.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4271",
"datePublished": "2013-10-10T00:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:38:01.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2013-10-10 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| restlet | restlet | * | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1.0 | |
| restlet | restlet | 2.1.1 | |
| restlet | restlet | 2.1.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:restlet:restlet:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9FF36E47-FB83-4EE2-A8AD-4CCB150FA05E",
"versionEndIncluding": "2.1.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "000B0109-CDC6-4CF0-8A90-F97D98BFB954",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "F745EEF2-7E39-414C-847F-38A276E799A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "CFC3C0BC-612C-495D-8AD6-F439229F89FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "11E97321-A10F-418C-B6C1-DD1AD6206E36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "A44C440F-E99C-46DF-9168-1A858157F4F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D4E467B9-1379-4270-8AFB-D316E27231AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "7A3D4845-EE2D-4CB5-B1F2-F49C9637940F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "70F9C4B9-9938-43A4-8742-43DB3AD209D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "B157880F-B6BF-46F4-92A5-93BC4DBDACD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B8E81758-0104-4AAF-90AF-DFF634EDD812",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc5:*:*:*:*:*:*",
"matchCriteriaId": "CF001292-CD53-4BDE-BF5E-874FEF1CA18C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc6:*:*:*:*:*:*",
"matchCriteriaId": "6C7A833C-C531-4869-8E65-2C2A7F123C23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "064F898B-82C8-423F-86CD-F5BBC9C8C3A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4A4FEF42-787B-433D-B0EE-5BAA68AC869A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BCD71E5D-FA56-47BC-9CD3-72A7B3CDCCDA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources using the Java XMLDecoder, which allows remote attackers to execute arbitrary Java code via crafted XML."
},
{
"lang": "es",
"value": "La configuraci\u00f3n por defecto de la clase ObjectRepresentation en Restlet anterior a la versi\u00f3n 2.1.4 deserializa objetos desde fuentes no confiables usando Java XMLDecoder, lo que permite a atacantes remotos ejecutar c\u00f3digo Java arbitrario a trav\u00e9s de XML manipulado."
}
],
"id": "CVE-2013-4221",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-10-10T00:55:14.850",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://restlet.org/learn/2.1/changes"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1410.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1862.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=995275"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/774"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://restlet.org/learn/2.1/changes"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1410.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1862.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=995275"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/774"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-16"
},
{
"lang": "en",
"value": "CWE-91"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-10-10 00:55
Modified
2025-04-11 00:51
Severity ?
Summary
The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| restlet | restlet | * | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1 | |
| restlet | restlet | 2.1.0 | |
| restlet | restlet | 2.1.1 | |
| restlet | restlet | 2.1.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:restlet:restlet:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9FF36E47-FB83-4EE2-A8AD-4CCB150FA05E",
"versionEndIncluding": "2.1.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "000B0109-CDC6-4CF0-8A90-F97D98BFB954",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "F745EEF2-7E39-414C-847F-38A276E799A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "CFC3C0BC-612C-495D-8AD6-F439229F89FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "11E97321-A10F-418C-B6C1-DD1AD6206E36",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "A44C440F-E99C-46DF-9168-1A858157F4F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D4E467B9-1379-4270-8AFB-D316E27231AD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "7A3D4845-EE2D-4CB5-B1F2-F49C9637940F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "70F9C4B9-9938-43A4-8742-43DB3AD209D0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "B157880F-B6BF-46F4-92A5-93BC4DBDACD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc4:*:*:*:*:*:*",
"matchCriteriaId": "B8E81758-0104-4AAF-90AF-DFF634EDD812",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc5:*:*:*:*:*:*",
"matchCriteriaId": "CF001292-CD53-4BDE-BF5E-874FEF1CA18C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1:rc6:*:*:*:*:*:*",
"matchCriteriaId": "6C7A833C-C531-4869-8E65-2C2A7F123C23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "064F898B-82C8-423F-86CD-F5BBC9C8C3A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4A4FEF42-787B-433D-B0EE-5BAA68AC869A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:restlet:restlet:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BCD71E5D-FA56-47BC-9CD3-72A7B3CDCCDA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default configuration of the ObjectRepresentation class in Restlet before 2.1.4 deserializes objects from untrusted sources, which allows remote attackers to execute arbitrary Java code via a serialized object, a different vulnerability than CVE-2013-4221."
},
{
"lang": "es",
"value": "La configuraci\u00f3n por defecto de la clase ObjectRepresentation en Restlet anterior a la versi\u00f3n 2.1.4 deserializa objetos de fuentes no confiables, lo que permite a atacantes remotos ejecutar c\u00f3digo Java arbitrario a trav\u00e9s de objetos serializados, una vulnerabilidad diferente a CVE-2013-4221."
}
],
"id": "CVE-2013-4271",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-10-10T00:55:14.897",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://restlet.org/learn/2.1/changes"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1410.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1862.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=999735"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/778"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://restlet.org/learn/2.1/changes"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1410.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1862.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=999735"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/778"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-11-30 18:29
Modified
2025-04-20 01:37
Severity ?
Summary
Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements | Third Party Advisory | |
| cve@mitre.org | https://lgtm.com/blog/restlet_CVE-2017-14949 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lgtm.com/blog/restlet_CVE-2017-14949 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:restlet:restlet:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F5A418FB-877B-4517-AEF9-848443A73680",
"versionEndExcluding": "2.3.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Restlet Framework before 2.3.12 allows remote attackers to access arbitrary files via a crafted REST API HTTP request that conducts an XXE attack, because only general external entities (not parameter external entities) are properly considered. This is related to XmlRepresentation, DOMRepresentation, SaxRepresentation, and JacksonRepresentation."
},
{
"lang": "es",
"value": "Las versiones anteriores a la 2.3.12 de Restlet Framework permiten que atacantes remotos accedan a archivos arbitrarios mediante una petici\u00f3n HTTP de la API REST que lleva a cabo un ataque XXE. Esto se debe a que solo las entidades externas (no entidades externas de par\u00e1metro) se consideran debidamente. Esto se relaciona con XmlRepresentation, DOMRepresentation, SaxRepresentation y JacksonRepresentation."
}
],
"id": "CVE-2017-14949",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-30T18:29:00.290",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://lgtm.com/blog/restlet_CVE-2017-14949"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://lgtm.com/blog/restlet_CVE-2017-14949"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-11-30 18:29
Modified
2025-04-20 01:37
Severity ?
Summary
Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/restlet/restlet-framework-java/issues/1286 | Third Party Advisory | |
| cve@mitre.org | https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements | Third Party Advisory | |
| cve@mitre.org | https://lgtm.com/blog/restlet_CVE-2017-14868 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/restlet/restlet-framework-java/issues/1286 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lgtm.com/blog/restlet_CVE-2017-14868 | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:restlet:restlet:*:*:*:*:*:*:*:*",
"matchCriteriaId": "896C5633-1671-4F2B-8B9A-469AA0AD832B",
"versionEndExcluding": "2.3.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows remote attackers to access arbitrary files via an XXE attack in a REST API HTTP request. This affects use of the Jax-rs extension."
},
{
"lang": "es",
"value": "Las versiones anteriores a la 2.3.11 de Restlet Framework, al emplear SimpleXMLProvider, permiten que atacantes remotos acedan a archivos arbitrarios mediante un ataque de XXE en una petici\u00f3n HTTP de la API REST. Esto afecta al uso de la extensi\u00f3n Jax-rs."
}
],
"id": "CVE-2017-14868",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-30T18:29:00.243",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/1286"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://lgtm.com/blog/restlet_CVE-2017-14868"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/restlet/restlet-framework-java/issues/1286"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/restlet/restlet-framework-java/wiki/XEE-security-enhancements"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://lgtm.com/blog/restlet_CVE-2017-14868"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}